CISA reports flaws in mySCADA myPRO Manager and Runtime
Take action: First, the obvious mitigation - isolate your SCADA software from the internet into a separate network. Then review the advisory, any attacker gaining access to the SCADA network (through user compromise or physical access) will have immediate and very easy chance to exploit. So notify your management and plan to patch.
Learn More
The Cybersecurity and Infrastructure Security Agency (CISA) is reporting multiple critical vulnerabilities in mySCADA's myPRO Manager and Runtime products.
Two critical vulnerabilities have been identified:
- CVE-2025-20061 (CVSS score 9.3) - Affects email information handling in POST requests and allows remote code execution without authentication
- CVE-2025-20014 (CVSS score: 9.3) - Affects version information handling in POST requests and allows remote code execution without authentication
Affected Products:
- myPRO Manager: All versions prior to 1.3
- myPRO Runtime: All versions prior to 9.2.1
mySCADA has released patches to address these vulnerabilities, available for download on their website. As mitigation, CISA recommends users to minimize network exposure for control system devices and systems, to ensure systems are not directly accessible from the internet, to isolate control systems from business networks and secure methods like VPNs for remote access, keeping them updated.
As of January 23, 2025, CISA reports no known public exploitation targeting these vulnerabilities.
