The National Computer Emergency Response Team (National CERT) has issued an advisory highlighting two critical vulnerabilities in mySCADA myPRO, a widely used Supervisory Control and Data Acquisition (SCADA) system.
The flaws, identified as CVE-2025-20014 and CVE-2025-20061, allow attackers to execute arbitrary commands remotely, potentially compromising entire industrial control systems. Both vulnerabilities have been assigned a 9.3 severity rating on the CVSS v4 scale due to their high risk.
The Danger Involved
The security flaws stem from improper input validation, enabling attackers to inject malicious commands via specially crafted POST requests. If exploited, these vulnerabilities could lead to remote code execution (RCE), unauthorized administrative access, operational disruptions, data breaches, and severe safety hazards. Organizations using mySCADA myPRO have been urged to take immediate security measures to prevent potential exploitation.
The Systems Affected
The vulnerabilities affect mySCADA PRO Manager v1.2 and earlier and mySCADA PRO Runtime v9.2.0 and earlier. Systems running outdated or unpatched versions are particularly vulnerable, especially those directly accessible from IT networks or the public internet. National CERT has emphasized that environments where SCADA systems lack proper network segmentation face a higher risk of cyberattacks.
What to Do
To mitigate the risks, National CERT recommends restricting network exposure by isolating SCADA systems from public networks and implementing strict firewall rules. Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) should be enforced to limit administrative privileges. Security teams should be advised to monitor system logs and network traffic for unauthorized access attempts, particularly focusing on suspicious POST requests containing manipulated parameters.
Organizations have been urged to apply security patches immediately, upgrading to mySCADA PRO Manager v1.3 and mySCADA PRO Runtime v9.2.1. Additionally, security configurations should be hardened by disabling unnecessary services, enforcing network segmentation, and implementing application whitelisting to prevent unauthorized software execution. Regular disaster recovery planning and incident response exercises have also been advised to minimize operational disruptions in the event of an attack.
National CERT has stressed that failure to address these vulnerabilities could result in severe industrial disruptions, financial losses, and safety risks. Organizations using mySCADA myPRO have been directed to act immediately to secure their systems and prevent potential cyber threats. Further details and updates on the vulnerabilities can be accessed through official security advisories.
