CISA Issues 6 New ICS Advisories for Schneider Electric, Shelly, METZ CONNECT

Executive Summary

On November 19, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a set of six Industrial Control Systems (ICS) advisories, flagging security vulnerabilities in products from three different vendors: Schneider Electric, Shelly, and METZ CONNECT. These advisories are crucial for organizations in critical infrastructure sectors that rely on these systems for process automation and control. The alerts cover products such as SCADA software and smart power management devices. While specific CVE details were not enumerated in the summary reports, CISA strongly advises asset owners to review the detailed advisories on their website and implement the provided mitigation guidance to secure their operational technology (OT) environments against potential cyber threats.

Vulnerability Details

The release consists of six separate advisories. While the source material does not provide specific CVE numbers or technical descriptions, the advisories cover a range of potential security issues common in ICS environments, such as unauthenticated access, command injection, or buffer overflows.

Affected Systems

The vulnerabilities impact products from the following vendors:

Schneider Electric (4 advisories):
- EcoStruxure Machine SCADA Expert
- Pro-face BLUE Open Studio
- PowerChute Serial Shutdown
- An update to a previous EcoStruxure advisory
Shelly (1 advisory):
- Shelly Pro 4PM
- Shelly Pro 3EM
METZ CONNECT (1 advisory):
- METZ CONNECT EWIO2

These products are used globally in various critical infrastructure and manufacturing settings for monitoring and controlling industrial processes.

Exploitation Status

The source articles do not mention whether these vulnerabilities are being actively exploited in the wild. However, vulnerabilities in ICS/OT systems are high-value targets for nation-state actors and sophisticated cybercriminals seeking to disrupt critical infrastructure.

Impact Assessment

Exploitation of vulnerabilities in ICS environments can have severe real-world consequences, including:

Disruption of Critical Services: An attack could shut down power grids, water treatment facilities, or manufacturing plants.
Physical Damage: Manipulation of industrial processes can lead to equipment damage, environmental incidents, or even loss of life.
Loss of Control: Attackers could gain control of operational processes, leading to unpredictable and dangerous system behavior.
Intellectual Property Theft: Attackers could steal sensitive process information or proprietary formulas.

Cyber Observables for Detection

Since specific vulnerabilities are not detailed, detection should focus on general anomalous behavior in OT networks.

Type

network_traffic_pattern

Value

Anomalous OT protocol commands

Description

Monitor for unusual or malformed commands within protocols like Modbus, DNP3, or S7comm, which could indicate an attempt to exploit a flaw.

Type

log_source

Value

HMI/SCADA Application Logs

Description

Look for unexpected user logins, configuration changes, or alarms being disabled on Human-Machine Interfaces (HMIs) or SCADA systems.

Type

process_name

Value

Anomalous process on engineering workstation

Description

Monitor for suspicious processes or scripts running on engineering workstations, as these are often used as pivot points into the OT network.

Type

network_traffic_pattern

Value

IT-to-OT network traffic

Description

Scrutinize all traffic crossing the IT/OT boundary. Any unauthorized protocols or connections are a major red flag.

Detection & Response

OT Network Monitoring: Deploy specialized OT security monitoring solutions that can passively analyze industrial protocols and detect anomalies. This is a form of Network Traffic Analysis (D3-NTA) tailored for ICS.
Asset Inventory: Maintain a detailed and up-to-date inventory of all OT assets, including firmware versions, to quickly identify affected systems when advisories are released.
Log Analysis: Collect and analyze logs from ICS devices, historians, and HMIs. Correlate this with network data to spot suspicious activity.

Remediation Steps

CISA urges all affected organizations to visit the official ICS advisories page for detailed mitigation steps. General best practices for ICS security include:

Patching: Apply vendor patches as soon as they are tested and approved for the OT environment (M1051 - Update Software).
Network Segmentation: Isolate ICS networks from corporate (IT) networks using firewalls and demilitarized zones (DMZs) to prevent lateral movement (M1030 - Network Segmentation).
Access Control: Implement strict access control measures, ensuring that only authorized personnel can access critical OT systems, and use separate credentials for IT and OT environments (M1026 - Privileged Account Management).
Backup: Maintain and test backups of device configurations, logic, and HMI assets to ensure recoverability.

CISA Publishes Six New Advisories for Vulnerabilities in Schneider Electric, Shelly, and METZ CONNECT Industrial Control Systems