Critical Vulnerability Information 1. Vulnerability Overview Release Date: May 6, 2025 Alert ID: ICSA-25-126-01 Relevant Topics: Industrial Control System Vulnerabilities, Industrial Control Systems CVSS v3.1 Base Score: 9.8 Concerns: Remotely Exploitable / Low Attack Complexity Vendor: Optigo Networks Product: ONS NC600 Vulnerability Type: Use of Hard-coded Credentials 2. Risk Assessment Successful exploitation of this vulnerability could allow an attacker to establish authenticated connections using hard-coded credentials and execute OS commands. 3. Technical Details 3.1 Affected Products ONS NC600: Versions 4.2.1-084 to 4.7.2-330 3.2 Vulnerability Summary CVE ID: CVE-2025-4041 CVSS v3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.3 Background Critical Infrastructure Sector: Critical Manufacturing Deployment Countries/Regions: Global Company Headquarters Location: Canada 3.4 Researcher Tomer Goldschmidt from Clarity Team82 reported this vulnerability to CISA. 4. Mitigation Measures Use a dedicated NIC on the BMS computer and connect only that computer to OneView for managing OT network configurations. Configure a router firewall with a device whitelist that allows access to OneView. Connect to OneView via a secure VPN. Minimize network exposure of all control systems and ensure they are not directly accessible from the internet. Place control networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the latest versions. Conduct appropriate impact analysis and risk assessment before deploying defensive measures. Implement recommended cybersecurity practices to proactively protect ICS assets. 5. Update History May 6, 2025: Initial Release