CISA Releases Seven Advisories for Vulnerabilities in Rockwell, Opto 22, and Zenitel Industrial Control Systems
CISA Warns of Critical Flaws in Industrial Control Systems, Including CVSS 10.0 Bug
Related Entities
Organizations
CVE Identifiers
Full Report
Executive Summary
On November 25, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a batch of seven new advisories detailing numerous vulnerabilities in Industrial Control Systems (ICS) and Operational Technology (OT). The flaws impact products from a range of vendors, including Rockwell Automation, Opto 22, and Zenitel, which are widely deployed in the Critical Manufacturing and Communications sectors. The most alarming of these is a critical vulnerability in Zenitel TCIV-3+ communications equipment, CVE-2025-64130, which received the maximum CVSS v4 score of 10.0. This flaw could allow an unauthenticated remote attacker to execute arbitrary code. The other advisories detail various other high-impact vulnerabilities, such as buffer overflows and sensitive information exposure. CISA strongly recommends that asset owners review the advisories and apply the necessary patches or mitigations to prevent potential disruption or compromise of critical industrial processes.
Vulnerability Details
The advisories cover a wide range of products and vulnerability types, highlighting the diverse attack surface of modern ICS environments.
ICSA-25-329-03: Zenitel TCIV-3+
- CVE-2025-64130: An OS command injection vulnerability with a CVSS v4 score of 10.0 (Critical). Successful exploitation could allow a remote attacker to achieve arbitrary code execution.
- Other Flaws: The advisory also details an out-of-bounds write vulnerability that could lead to a denial-of-service condition.
- Affected Products: Zenitel TCIV-3+ versions prior to 9.3.3.0.
- Remediation: Upgrade to version 9.3.3.0 or later.
Other Key Advisories
- ICSA-25-329-01 (Ashlar-Vellum): Details out-of-bounds write and heap-based buffer overflow vulnerabilities in products like Cobalt and Xenon, which could be exploited by opening a malicious file.
- ICSA-25-329-02 (Rockwell Automation): Pertains to vulnerabilities in the widely used Arena Simulation software.
- ICSA-25-329-04 (Opto 22): Highlights a sensitive information exposure vulnerability in the
groovView product, where sensitive data could be exposed through metadata.
Exploitation Status
The advisories do not state that these vulnerabilities are being actively exploited in the wild. However, the public disclosure of these flaws, especially a CVSS 10.0 vulnerability, significantly increases the likelihood that threat actors will develop exploits and begin scanning for vulnerable systems.
Impact Assessment
Exploitation of these vulnerabilities could have severe consequences for industrial operations. A successful remote code execution attack on a Zenitel communications system (CVE-2025-64130) could allow an attacker to disrupt safety and communication processes, manipulate data, or pivot deeper into the OT network. Vulnerabilities in simulation software like Rockwell's Arena could be used to manipulate models, leading to flawed designs or process optimizations. Information exposure flaws like the one in Opto 22's product could leak network configuration details or credentials, providing attackers with the information needed to plan a more comprehensive attack. In aggregate, these vulnerabilities represent a significant risk to the safety, reliability, and availability of critical manufacturing and communication infrastructure.
Cyber Observables for Detection
- Network Scans: Monitor for an increase in scanning activity targeting ports associated with the vulnerable products (e.g., web interfaces, management ports).
- Log Analysis: Review logs from affected devices for anomalous error messages, unexpected reboots, or unauthorized access attempts that could indicate exploitation.
- Network Traffic: Analyze network traffic to and from ICS devices for unusual patterns, protocols, or connections to unknown external IPs.
port80, 443log_sourceDevice System Logs (Syslog)network_traffic_patternDetection Methods
- Vulnerability Scanners: Use vulnerability scanners with updated plugins to actively identify affected systems and versions within the network. Ensure scanners are configured safely for use in OT environments.
- Asset Inventory: Maintain a comprehensive and up-to-date asset inventory of all ICS/OT devices. This is a prerequisite for identifying which systems are affected by these advisories.
- Network Intrusion Detection System (NIDS): Deploy NIDS with signatures for known ICS protocols and exploits. This can help detect attempts to exploit CVE-2025-64130 at the network level (
D3-NTA: Network Traffic Analysis).
Remediation Steps
- Patching: The primary remediation is to apply the vendor-supplied patches and firmware updates as detailed in the CISA advisories. For Zenitel, this means upgrading to version 9.3.3.0 or later (
D3-SU: Software Update). - Network Segmentation: If patching is not immediately possible, isolate the vulnerable devices from the internet and other untrusted networks. Use firewalls to restrict access to these devices to only authorized personnel and systems (
D3-NI: Network Isolation). - Secure Remote Access: Ensure that any remote access to the OT network is done through a secure, audited channel, such as a VPN with multi-factor authentication.
Timeline of Events
MITRE ATT&CK Mitigations
Apply vendor patches to remediate the vulnerabilities. This is the most effective mitigation.
Isolate ICS/OT networks from corporate and internet networks to prevent unauthorized access to vulnerable devices.
Use firewalls to restrict access to vulnerable ICS devices to only authorized systems and personnel.
Regularly scan the OT network to identify vulnerable assets that require patching or mitigation.
D3FEND Defensive Countermeasures
The primary and most effective countermeasure against the vulnerabilities detailed in CISA's ICS advisories, especially the CVSS 10.0 flaw CVE-2025-64130 in Zenitel products, is to apply the vendor-provided software updates. Asset owners in critical manufacturing and communications must have a robust patch management program for their OT environments. This involves maintaining an accurate asset inventory, monitoring for vendor and CISA notifications, testing patches in a non-production environment to ensure operational stability, and then deploying them according to a risk-based schedule. For a critical flaw like CVE-2025-64130, this process must be expedited. Delaying patching leaves critical systems exposed to trivial exploitation that could lead to remote code execution and full system compromise.
As a crucial compensating control, especially when immediate patching is not feasible, vulnerable ICS devices must be isolated from untrusted networks. This follows the Purdue Model for ICS security, where the OT network is strictly segmented from the corporate IT network and, most importantly, the internet. For the vulnerable Zenitel device, this means placing it behind a firewall that denies all inbound traffic by default. Access to its management interface should be restricted to a specific, hardened administrative workstation or jump host within a secure OT management zone. This prevents attackers from directly scanning for and exploiting CVE-2025-64130 from the internet, effectively taking the vulnerability 'offline' from remote adversaries and dramatically reducing the risk.
To detect attempts to exploit these ICS vulnerabilities, organizations should deploy OT-aware Network Traffic Analysis. This involves using a network tap or SPAN port to passively monitor traffic going to and from critical assets like the Zenitel, Rockwell, and Opto 22 products. An OT-specific intrusion detection system (IDS) can then analyze this traffic. It can be configured with signatures to detect known exploit payloads for CVE-2025-64130. More importantly, it can perform anomaly detection by baselining normal communication patterns (e.g., which devices talk to each other, using which protocols) and alerting on any deviation. An unexpected connection attempt to a Zenitel device from an unknown IP, or the use of an unusual function code, would trigger an alert, providing an early warning of a potential attack.
Timeline of Events
CISA publishes seven new advisories for vulnerabilities in Industrial Control Systems.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.