Cybersecurity researchers have disclosed particulars of two critical flaws impacting mySCADA myPRO, a Supervisory Management and Knowledge Acquisition (SCADA) system utilized in operational know-how (OT) environments, that would permit malicious actors to take management of inclined programs.
“These vulnerabilities, if exploited, might grant unauthorized entry to industrial management networks, doubtlessly resulting in extreme operational disruptions and monetary losses,” Swiss safety firm PRODAFT said.
The listing of shortcomings, each rated 9.3 on the CVSS v4 scoring system, are under –
- CVE-2025-20014 – An working system command injection vulnerability that would allow an attacker to execute arbitrary instructions on the affected system through specifically crafted POST requests containing a model parameter
- CVE-2025-20061 – An working system command injection vulnerability that would allow an attacker to execute arbitrary instructions on the affected system through specifically crafted POST requests containing an electronic mail parameter
Profitable exploitation of both of the 2 flaws might allow an attacker to inject system instructions and execute arbitrary code.
In accordance with PRODAFT, each vulnerabilities stem from a failure to sanitize user inputs, thereby opening the door to a command injection.
“These vulnerabilities spotlight the persistent safety dangers in SCADA programs and the necessity for stronger defenses,” the corporate mentioned. “Exploitation might result in operational disruptions, monetary losses, and security hazards.”
Organizations are beneficial to use the newest patches, implement community segmentation by isolating SCADA programs from IT networks, implement robust authentication, and monitor for suspicious exercise.
