Critical flaws reported in mySCADA myPRO manager and runtime
Take action: As per usual, the obvious mitigation - isolate your SCADA software from the internet into a separate network. Then review the advisory and start planning a quick patch. These exploits are slightly more complicated, so it's not a panic mode. But don't ignore them.
Learn More
PRODAFT security researchers have identified two critical vulnerabilities in mySCADA myPRO, a widely used SCADA management solution headquartered in the Czech Republic.
The identified vulnerabilities exist due to improper input sanitization in the myPRO Manager, allowing attackers to inject system commands and execute arbitrary code by sending specially crafted POST requests to specific ports. If exploited, these vulnerabilities could grant unauthorized access to industrial control networks.
Vulnerability summary
- CVE-2025-20014 (CVSS score 9.3) - OS Command Injection via Version Parameter. Caused by improper neutralization of special elements used in an OS command that enables Remote Command Execution (RCE). Attackers can send a specially crafted POST request with a version parameter.
- CVE-2025-20061 (CVSS score 9.3) - OS Command Injection via Email Parameter. Caused by improper neutralization of special elements used in an OS command that enables Remote Command Execution (RCE). Attackers can send a specially crafted POST request containing email parameters.
The following mySCADA products are impacted:
- myPRO Manager – Versions prior to 1.3
- myPRO Runtime – Versions prior to 9.2.1
Successful exploitation could lead to operational disruptions in critical infrastructure, financial losses, potential safety hazards in industrial environments and compromise of affected systems.
Organizations should install vendor-issued updates immediately to versions myPRO Manager 1.3 and myPRO Runtime 9.2.1 or later and isolate SCADA systems from IT networks to reduce attack surfaces.
