Review – Public ICS Disclosures – Week of 11-29-25 – Part 2

For Part 2 we have 19 bulk disclosures from Splunk (10) and WatchGuard (9). We have two additional vendor disclosures from Wireshark. There are four vendor updates from Advantech, Moxa (2), and VMware. There are ten researcher reports on vulnerabilities in a product from Socomec. Finally, we have two exploits for products from Broadcom and PX4.

Block Disclosures

Bulk Disclosures – Splunk

• SPL commands allowlist controls bypass in Splunk MCP Server app through "run_splunk_query" MCP tool,

• Third-Party Package Updates in Splunk Enterprise - December 2025,

• Improper Input Validation in "label" column field in Splunk Secure Gateway App,

• Blind Server Side Request Forgery (SSRF) through Distributed Search Peers in Splunk Enterprise,

• Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade,

• Incorrect permission assignment on Splunk Enterprise for Windows during new installation or upgrade,

• Stored Cross-Site scripting (XSS) through Anchor Tag "href" in Navigation Bar Collections in Splunk Enterprise,

• Unauthenticated Log Injection in Splunk Enterprise,

• Improper access control through push notifications for reports and alerts in Splunk Secure Gateway app, and

• URL validation bypass through Views Dashboard in Splunk Enterprise

Bulk Disclosures – WatchGuard

• WatchGuard Firebox Boot Time System Integrity Check Bypass,

• WatchGuard Firebox XPath Injection Vulnerability in Web CGI,

• WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Gateway Wireless Controller,

• WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Autotask Technology Integration Configuration,

• WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in ConnectWise Technology Integration Configuration,

• WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Tigerpaw Technology Integration Configuration,

• WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI Ping Command,

• WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI IPSec Configuration,

• WatchGuard Firebox iked Memory Corruption Vulnerability,

• WatchGuard Firebox Authenticated Out of Bounds Write in certd,

Advisories

Wireshark Advisory #1 - Wireshark published an advisory that describes an infinite loop vulnerability (with publicly available exploit) in their MEGACO dissector.

Wireshark Advisory #2 - Wireshark published an advisory that describes an improperly controlled sequential memory allocation vulnerability (with publicly available exploit) in their HTTP3 dissector.

Updates

Advantech Update - Advantech published an update for their WISE-DeviceOn advisory that was originally published on November 18^th, 2025.

Moxa Update #1 - Moxa published an update for their Secure Routers advisory that was originally published on April 2^nd, 2025, and most recently updated on October 27^th, 2025.

Moxa Update #2 - Moxa published an update for their Secure Routers advisory that was originally published on April 2^nd, 2025, and most recently updated on October 27^th, 2025.

VMware Update - Broadcom published an update for their vCenter Server advisory that was originally published on September 21s, 2021, and most recently updated on September 24^th, 2021.

Researcher Reports

Socomec Reports - Cisco Talos published ten reports for 14 vulnerabilities in the Socomec DIRIS Digiware M-70.

Exploits

Broadcom Exploit - Laginimaineb published an exploit for an improper restriction of operations within the bounds of a memory buffer in the Broadcom BCM4355C0 Wi-Fi chips.

PX 4 Exploit - Indoushka published an exploit for a stack-based buffer overflow vulnerability in the PX4 drone autopilot.

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-2dc - subscription required.

Review – CSB Updated the Status of 12 Incident Recommendations – 12-4-25

 Yesterday the Chemical Safety Board (CSB) updated their Recent Recommendation Status Updates page, closing four recommendations with acceptable alternative actions. These actions left 119 of 1025 recommendations open. Additionally, the CSB updated the open status of eight recommendations. The CSB took all of these actions on December 4^th, 2025. The previous update was published on September 6th, 2025.

The four recently closed recommendations are:

• TS USA Molten Salt Eruption - 2024-01-I-TN-R3 - TS USA,

• LyondellBasell La Porte Fatal Chemical Release - 2021-05-I-TX-R1 – Lyondell Basell Industries,

• LyondellBasell La Porte Fatal Chemical Release - 2021-05-I-TX-R2 – Lyondell Basell Industries, and

• Aghorn Operating Inc. Waterflood Station Hydrogen Sulfide Release - 2020-01-I-TX-R7 - Aghorn Operating Inc.

 

For more information on the investigation responses, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updated-the-status-of-12-incident - subscription required.

Chemical Incident Reporting – Week of 11-29-25

NOTE: See here for series background.

Honea Path, S.C– 12-3-25

Local News Report: Here, here, and here.

There was a chlorine leak at a water treatment plant caused by a leaking valve. There are no reports of injuries or damages.

Not CSB reportable.

South Bend, IN – 12-4-25

Local News Report: Here, and here.

There was a small chemical spill in a university lab. Four individuals were evaluated for chemical exposure and released from a local wellness center.

Not CSB reportable.

Cleveland, TN – 12-5-25

Local News Report: Here, here, and here.

There was a chemical leak at a food processing facility. Six people were sent to local hospitals for exposure issues. There is no mention of what chemical is involved.

Possible CSB reportable.

Review – Public ICS Disclosures – Week of 11-29-25 – Part 1

This is a moderately busy disclosure week. We bulk disclosures from HPE (9). We also have nine additional vendor disclosures from CODESYS (3), Hitachi Energy, HP, Medtronic, Meinberg, and Philips (2).

Bulk Disclosures – HPE

• HPESBHF04944 rev.1 - HPE Superdome Flex 280 and Compute Scale-up Server 3200 Platform Servers Using Certain Intel Processors, INTEL-SA-01280, 2025.3 IPU, Intel Chipset Firmware Advisory, Multiple Vulnerabilities,

• HPESBNW04974 rev.1 - HPE Unified OSS Console Assurance Monitoring (UOCAM), Multiple Vulnerabilities,

• HPESBNW04976 rev.1 - HPE Virtualized Telecommunication Management Information Platform (vTeMIP), Multiple Vulnerabilities,

• HPESBNW04972 Rev. 1 - HPE Telco Network Function Virtual Orchestrator, Multiple Vulnerabilities,

• HPESBUX04977 rev.1 - HP-UX Using OpenSSL, Memory Corruption and Remote Code Execution Vulnerabilities,

• HPESBCR04979 rev.1 - HPE Cray XD670 Server Using Certain Intel Processors, INTEL-SA-01280, 2025.3 IPU, Intel Chipset Firmware Advisory, Multiple Vulnerabilities,

• HPESBCR04980 rev.1 - HPE Cray XD670 Server Using Certain Intel Processors, INTEL-SA-01312, Intel TDX Module Advisory, Multiple Vulnerabilities,

• HPESBCR04981 rev.1 - HPE Cray XD670 Server Using Certain Intel Processors, INTEL-SA-01313, 2025.3 IPU, Intel Xeon Processor Firmware Advisory, Multiple Vulnerabilities,

• HPESBCR04982 rev.1 - HPE Cray XD670 Server Using UEFI, Multiple Vulnerabilities.

Advisories

CODESYS Advisory #1 - CODESYS published an advisory that describes an out-of-bounds read vulnerability in their Control runtime system.

CODESYS Advisory #2 - CODESYS published an advisory that describes a type confusion vulnerability in their Control runtime system's CmpVisuServer component.

CODESYS Advisory #3 - CODESYS published an advisory that describes a deserialization of untrusted data vulnerability in their Development System.

Hitachi Energy Advisory - Hitachi Energy published an advisory that discusses a deserialization of untrusted data vulnerability (listed in CISA’s Known Exploited Vulnerability catalog) in their React Server Components.

HP Advisory - HP published an advisory that describes a race condition enabling link following vulnerability in their Image Assistant product.

Medtronic Advisory - Medtronic published an advisory that describes four vulnerabilities in their CareLink Network web application.

Meinberg Advisory - Meinberg published an advisory that discusses three vulnerabilities (one with publicly available exploit) in their LANTIME product.

Philips Advisory #1 - Philips published an advisory that discusses the Meta React Server Components vulnerability that was added to CISA’s KEV catalog.

Philips Advisory #2 - Philips published an advisory that discusses the Vercel NEXT.js vulnerability that is associated with the Meta React Server vulnerability.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-08a - subscription required.

Review - Bills Introduced – 12-4-25

Yesterday, with both the House and Senate in Washington, there were 115 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 6429 To establish in the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security a program to promote the cybersecurity field to disadvantaged communities, including older individuals, racial and ethnic minorities, people with disabilities, geographically diverse communities, socioeconomically diverse communities, women, individuals from nontraditional educational paths, individuals who are veterans, and individuals who were formerly incarcerated, and for other purposes. Brown, Shontel M. [Rep.-D-OH-11]

HR 6460 To amend title 49, United States Code, to clarify exceptions for limited recreational operations of unmanned aircraft, and for other purposes. Mann, Tracey [Rep.-R-KS-1]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a brief look at two anti-scam bills, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-12-4-25 - subscription required.

Chemical Transportation Incidents – Week of 11-1-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 497 (464 highway, 29 air, 4 rail, 0 water)

• Serious incidents – 6 (1 Bulk release, 1 evacuation, 1 injury, 0 death, 1 major artery closed, 5 fire/explosion, 28 no release)

• Largest container involved – 28,480-gal DOT 117J100W Railcar {Petroleum Crude Oil} Manway bolts not tool tight.

• Largest amount spilled – 225-gal Plastic IBC {Sulfuric Acid With Not More Than 51% Acid} IBC fell.

• Total amount reported spilled in all incidents – 1619.7-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Petroleum Crude Oil: A complex mixture of aliphatic and aromatic hydrocarbons containing low percentages of sulfur and trace amounts of nitrogen and oxygen compounds. A black sticky liquid with a strong hydrocarbon odor. (Source: CameoChemicals.NOAA.gov).

 

Short Takes – 12-5-25 – Federal Register Edition

Assessment Framework and Organizational Restatement Regarding Preemption for Certain Regulations Issued by the Coast Guard. Federal Register CG NPRM withdrawal. Summary: “The Coast Guard is withdrawing the proposed rule entitled “Assessment Framework and Organizational Restatement Regarding Preemption for Certain Regulations Issued by the Coast Guard,” published [link added] in the Federal Register on December 27, 2013. The Coast Guard is withdrawing the proposed rule because our practice of discussing the preemptive effect of the Coast Guard's legal authorities and regulations in the preamble of our rulemaking documents is sufficient to identify any preemptive effects.”

Request for Information (RFI) on Partnerships for Transformational Artificial Intelligence Models. Federal Register DOE request for information. Summary: “The U.S. Department of Energy (DOE) invites public comment on its Request for Information (RFI) regarding Partnerships for Transformational Artificial Intelligence Models. The purpose of this RFI is to solicit feedback from industry, think tanks, investors, research organizations, and other stakeholders on how DOE should best structure and enable partnerships to curate DOE scientific data across the National Laboratory complex for use in artificial intelligence (AI) models. This RFI also seeks input on using this data to develop self-improving AI models for science and engineering to advance scientific discovery, energy, and national security.” Comments due January 14^th, 2026.

Space Modernization for the 21st Century. Federal Register FCC notice of proposed rulemaking. Summary: “In the Notice of Proposed Rulemaking (NPRM), the Federal Communications Commission (Commission or we) proposes to overhaul and modernize the Commission's space and earth station licensing process to help “ensure that new space-based industries, space exploration capabilities, and cutting-edge defense systems are pioneered in America rather than by our adversaries.” In particular, the NPRM proposes to develop a “licensing assembly line” designed so applications can be routed along different paths and segmented for review based on specific aspects of a request. This new process would set the stage for ongoing efficiency gains and would provide greater predictability and flexibility for applicants. In this way, we expect—like actual assembly lines—that the space review processes can be dramatically accelerated while improving the quality of the Commission's space licensing work.” Comments due January 20^th, 2026.

Privacy Act of 1974; System of Records. Federal Register NASA notice of a modified system of records. Summary: “In accordance with the requirements of the Privacy Act of 1974, the National Aeronautics and Space Administration is providing public notice of a modification to an existing system of records entitled NASA Core Financial Management Records (CFMR). The notice updates the Routine Use section to include two additional routine uses . The system of records is more fully described in the SUPPLEMENTARY INFORMATION section of this notice.”

Protecting Against National Security Threats to the Communications Supply Chain Through the Equipment Authorization Program. Federal Register FCC notice of proposed rulemaking. Summary: “In this document, the Federal Communications Commission (Commission or FCC) aims to further its actions in strengthening prohibitions on authorization of covered equipment and to clarify the rules and enforcement of such. The Commission seeks additional comment on modular transmitters and component parts in relation to covered equipment. The Commission addresses the partial court remand of the decision in its November 2022 EA Security R&O by proposing a definition of “critical infrastructure” as used on the Covered List and seeking comment on the implementation of that definition. The Commission also seeks comment on whether any modification to an authorized device by an entity identified on the Covered List should require a new application for certification. Finally, the Commission seeks comment on clarifying the scope of activities that constitute marketing of equipment and on measures to strengthen enforcement of marketing prohibitions.” Comments due January 6^th, 2026.