What vulnerabilities have been discovered in mySCADA's myPRO Manager?

Four critical vulnerabilities have been identified: CVE-2025-24865 (CVSS 10.0) - Missing Authentication vulnerability, CVE-2025-25067 (CVSS 9.8) - OS Command Injection vulnerability, CVE-2025-22896 (CVSS 8.6) - Cleartext Storage of Sensitive Information vulnerability, and CVE-2025-23411 (CVSS 6.3) - Cross-Site Request Forgery (CSRF) vulnerability.

Which versions of myPRO Manager are affected?

All versions of myPRO Manager prior to version 1.4 are affected by these vulnerabilities.

Is there a fix available for these vulnerabilities?

Yes, mySCADA has addressed these vulnerabilities by releasing myPRO Manager version 1.4 and recommends all users upgrade to this latest version immediately.

Advisory

mySCADA reports multiple flaws in myPRO, at least two critical

Q: Have these vulnerabilities been exploited in the wild?

As of February 13, 2025, CISA reports no known public exploitation specifically targeting these vulnerabilities.

published: Feb. 13, 2025

Take action: As per usual, the obvious mitigation - isolate your SCADA software from the internet into a separate network. Then review the advisory and start planning a quick patch. There is a perfect 10 severity flaw, even with all isolation it's smart to patch this one.

Learn More

mySCADA is reporting multiple critical security vulnerabilities affecting their myPRO Manager product, a system widely deployed in critical manufacturing infrastructure worldwide.

The discovered vulnerabilities include:

CVE-2025-24865 (CVSS score 10.0) - Missing Authentication vulnerability which allows unauthorized access to the administrative web interface.
CVE-2025-25067 (CVSS score 9.8) - OS Command Injection vulnerability which enables remote attackers to execute arbitrary operating system commands without requiring authentication.
CVE-2025-22896 (CVSS core 8.6) - Cleartext Storage of Sensitive Information vulnerability which exposes credentials in plaintext, potentially allowing attackers to obtain sensitive information.
CVE-2025-23411 (CVSS score 6.3) - Cross-Site Request Forgery (CSRF) vulnerability tracked as which could allow attackers to obtain sensitive information by tricking users into visiting malicious websites.

The vulnerabilities are affecting versions of myPRO Manager prior to 1.4.. MySCADA has addressed these vulnerabilities by releasing myPRO Manager version 1.4. The company recommends all users upgrade to this latest version immediately.

As of February 13, 2025, when this advisory was initially published, CISA reports no known public exploitation specifically targeting these vulnerabilities. The vulnerabilities were reported to CISA by security researcher Michael Heinzl.

mySCADA reports multiple flaws in myPRO, at least two critical