In a significant cybersecurity revelation, researchers have identified two severe vulnerabilities affecting mySCADA’s myPRO, a Supervisory Control and Data Acquisition (SCADA) system widely utilized in operational technology environments. This discovery poses a critical security threat, as these flaws could enable malicious actors to gain unauthorized control over affected systems, as highlighted by Swiss security firm PRODAFT.
The vulnerabilities, both rated 9.3 on the CVSS v4 scoring scale, include a command injection flaw linked to operating system commands. The first, identified as CVE-2025-20014, allows attackers to execute arbitrary commands via specially crafted POST requests that contain a version parameter. Similarly, CVE-2025-20061 operates in a parallel fashion, permitting command execution through POST requests that include an email parameter.
The exploitation of either of these vulnerabilities could facilitate the injection of system commands and the execution of arbitrary code. In practical terms, this means that unauthorized individuals could manipulate industrial control networks, potentially leading to serious operational disruptions and significant financial losses. The vulnerabilities have since been patched in mySCADA PRO Manager version 1.3 and mySCADA PRO Runtime version 9.2.1.
PRODAFT has indicated that the root cause of these vulnerabilities lies in inadequate user input sanitization, which has rendered the systems susceptible to command injection attacks. This situation underlines the persistent security risks associated with SCADA systems and emphasizes the urgent need for more robust protective measures. The ramifications of such exploitation extend beyond financial impact, including the potential for safety hazards and operational interruptions.
Businesses using mySCADA are advised to implement the latest security patches immediately. Additionally, it is crucial to enforce network segmentation, effectively isolating SCADA systems from IT networks, while also instituting strong authentication measures and diligent monitoring for any suspicious activity.
Within the context of the MITRE ATT&CK framework, these vulnerabilities highlight tactics such as initial access, privilege escalation, and potential lateral movement—which underscores the importance of cybersecurity vigilance among organizations reliant on such technology. Stakeholders are urged to remain proactive in addressing these threats to safeguard their operational integrity.
In conclusion, the discovery of these vulnerabilities serves as a pertinent reminder of the ongoing security challenges facing SCADA systems. Organizations must not only address existing vulnerabilities but also adopt a forward-looking approach to cybersecurity that anticipates future risks and mitigates them effectively.
