【資安漏洞預警】115年1月份西門子、施耐德電機、Aveva等工控系統大廠,陸續針對旗下ICS產品發布多則安全修補公告
[Security Vulnerability Alert] In January 2016, major industrial control system manufacturers such as Siemens, Schneider Electric, and Aveva successively released multiple security patch announcements for their ICS products.

發布單位:圖資處數位服務組
日期範圍:2026/1/29 ~ 2026/7/29
 
發布單位:圖資處數位服務組
日期範圍:2026/1/29 ~ 2026/7/29
行政 行政公告
全體

轉發 國家資安資訊分享與分析中心 資安訊息警訊 NISAC-200-202601-00000294

[內容說明]
115年1月份西門子、施耐德電機、Aveva等工控系統大廠,陸續針對旗下ICS產品發布多則安全修補公告

[影響平台]
#Siemens
CVE-2025-40942 Siemens TeleControl Server Basic
CISA CVE-2025-40944 Siemens SIMATIC and SIPLUS products
CISA CVE-2025-40935 Siemens RUGGEDCOM ROS
CISA CVE-2025-40830、CVE-2025-40831 Siemens SINEC Security Monitor
CISA CVE-2025-40891、CVE-2025-40892、CVE-2025-40893、CVE-2025-40898 Siemens RUGGEDCOM APE1808 Devices
CISA CVE-2025-40805 Siemens Industrial Edge Devices
CISA CVE-2025-40805 Siemens Industrial Edge Device Kit

#Schneider Electric
CVE-2025-13844、CVE-2025-13845 Schneider Electric EcoStruxure Power Build Rapsody
CISA CVE-2018-12130 Schneider Electric EcoStruxure Foxboro DCS
CISA CVE-2022-4046、 CVE-2023-28355、 CVE-2022-47378、 CVE-2022-47379、 CVE-2022-47380、 CVE-2022-47381、 CVE-2022-47382、 CVE-2022-47383、 CVE-2022-47384、 CVE-2022-47386、 CVE-2022-47387、 CVE-2022-47388、 CVE-2022-47389、CVE-2022-47390、CVE-2022-47385、CVE-2022-47392、CVE-2022-47393、CVE-2022-47391、CVE-2023-37545、CVE-2023-37546、CVE-2023-37547、 CVE-2023-37548、 CVE-2023-37549、 CVE-2023-37550、 CVE-2023-37551、 CVE-2023-37552、 CVE-2023-37553、 CVE-2023-37554、 CVE-2023-37555、 CVE-2023-37556、 CVE-2023-37557、 CVE-2023-37558、 CVE-2023-37559、 CVE-2023-3662、 CVE-2023-3663、 CVE-2023-3669、 CVE-2023-3670 Schneider Electric devices using CODESYS Runtime
CISA CVE-2025-13905 Schneider Electric EcoStruxure Process Expert

#Aveva
CVE-2025-61937、CVE-2025-64691、CVE-2025-61943、CVE-2025-65118、CVE-2025-64729、CVE-2025-65117、CVE-2025-64769 AVEVA Process Optimization

[建議措施]
若確認擁有該受影響設備,建議依原廠公告之詳細指引,於不影響設備運行情況下,完成相應之修補或防護措施,以防止攻擊者利用已知漏洞進入系統。

[參考資料]
1. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-03
2. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-04
3. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-05
4. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-06
5. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-07
6. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-08
7. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-09
8. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-10
9. https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-01
10. https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-02
11. https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-01
12. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01

Forwarded from the National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202601-00000294

[Content Description]
In January 2016, major industrial control system manufacturers such as Siemens, Schneider Electric, and Aveva successively released multiple security patch announcements for their ICS products.

[Affected Platforms]
#Siemens
CVE-2025-40942 Siemens TeleControl Server Basic
CISA CVE-2025-40944 Siemens SIMATIC and SIPLUS products
CISA CVE-2025-40935 Siemens RUGGEDCOM ROS
CISA CVE-2025-40830, CVE-2025-40831 Siemens SINEC Security Monitor
CISA CVE-2025-40891, CVE-2025-40892, CVE-2025-40893, CVE-2025-40898 Siemens RUGGEDCOM APE1808 Devices
CISA CVE-2025-40805 Siemens Industrial Edge Devices
CISA CVE-2025-40805 Siemens Industrial Edge Device Kit

#Schneider Electric
CVE-2025-13844, CVE-2025-13845 Schneider Electric EcoStruxure Power Build Rapsody
CISA CVE-2018-12130 Schneider Electric EcoStruxure Foxboro DCS
CISA CVE-2022-4046, CVE-2023-28355, CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388、 CVE-2022-47389, CVE-2022-47390, CVE-2022-47385, CVE-2022-47392, CVE-202 2-47393, CVE-2022-47391, CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550, CVE-2023-37551, CVE-2023-37552, CVE-2023-37553, CVE-2023-37554, CVE-2023-37555, CVE-2023-37556, CVE-2023-37557, CVE-2023-37558, CVE-2023-37559, CVE-2023-3662, CVE-2023-3663, CVE-2023-3669, CVE-2023-3670 Schneider Electric devices using CODESYS Runtime
CISA CVE-2025-13905 Schneider Electric EcoStruxure Process Expert

#Aveva
CVE-2025-61937, CVE-2025-64691, CVE-2025-61943, CVE-2025-65118, CVE-2025-64729, CVE-2025-65117, CVE-2025-64769 AVEVA Process Optimization

[Recommended Actions]
If you have confirmed ownership of an affected device, it is recommended that you follow the detailed instructions in the manufacturer's announcement to implement appropriate patching or protective measures without affecting the device's operation, in order to prevent attackers from exploiting known vulnerabilities to gain access to the system.

[References]
1. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-03
2. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-04
3. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-05
4. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-06
5. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-07
6. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-08
7. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-09
8. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-10
9. https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-01
10. https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-02
11. https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-01
12. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01


相關附件
【返回上頁】
Top↑