Cybersecurity researchers have disclosed particulars of two crucial flaws impacting mySCADA myPRO, a Supervisory Management and Information Acquisition (SCADA) system utilized in operational know-how (OT) environments, that would permit malicious actors to take management of inclined techniques.
“These vulnerabilities, if exploited, may grant unauthorized entry to industrial management networks, doubtlessly resulting in extreme operational disruptions and monetary losses,” Swiss safety firm PRODAFT stated.
The listing of shortcomings, each rated 9.3 on the CVSS v4 scoring system, are under –
- CVE-2025-20014 – An working system command injection vulnerability that would allow an attacker to execute arbitrary instructions on the affected system through specifically crafted POST requests containing a model parameter
- CVE-2025-20061 – An working system command injection vulnerability that would allow an attacker to execute arbitrary instructions on the affected system through specifically crafted POST requests containing an electronic mail parameter
Profitable exploitation of both of the 2 flaws may allow an attacker to inject system instructions and execute arbitrary code. The problems have been addressed within the following variations –
- mySCADA PRO Supervisor 1.3
- mySCADA PRO Runtime 9.2.1
In line with PRODAFT, each vulnerabilities stem from a failure to sanitize person inputs, thereby opening the door to a command injection.
“These vulnerabilities spotlight the persistent safety dangers in SCADA techniques and the necessity for stronger defenses,” the corporate stated. “Exploitation may result in operational disruptions, monetary losses, and security hazards.”
Organizations are really useful to use the most recent patches, implement community segmentation by isolating SCADA techniques from IT networks, implement robust authentication, and monitor for suspicious exercise.