Skip to content
Contact us

Critical Vulnerabilities in mySCADA myPRO Pose Significant Risks to Industrial Control Systems

Picture of The 1898 & Co. Team

Recent disclosures have highlighted two critical vulnerabilities in the mySCADA myPRO system, a widely used Supervisory Control and Data Acquisition (SCADA) platform in operational technology environments. These vulnerabilities, identified as CVE-2025-20014 and CVE-2025-20061, both carry a severity rating of 9.3 on the CVSS v4 scale. They involve operating system command injection flaws that could allow attackers to execute arbitrary commands on affected systems. The potential impact includes unauthorized access to industrial control networks, leading to severe operational disruptions and financial losses.

The vulnerabilities arise from insufficient input sanitization, allowing malicious actors to exploit with specially crafted POST requests. Successful exploitation could enable attackers to inject system commands and execute arbitrary code, posing significant risks to the integrity and safety of industrial operations. The issues have been addressed in the latest versions of mySCADA PRO Manager 1.3 and mySCADA PRO Runtime 9.2.1.

This situation underscores the ongoing security challenges faced by SCADA systems and the critical need for robust defenses. Organizations using mySCADA myPRO are urged to apply the latest patches promptly, implement network segmentation to isolate SCADA systems from IT networks, enforce strong authentication measures, and maintain vigilant monitoring for suspicious activities.

Threats and Vulnerabilities

The two critical vulnerabilities in mySCADA myPRO, CVE-2025-20014 and CVE-2025-20061, represent significant threats to industrial control systems. Both are command injection vulnerabilities that allow attackers to execute arbitrary commands via specially crafted POST requests. The first vulnerability involves a version parameter, while the second involves an email parameter. These flaws could lead to unauthorized access and control over SCADA systems, potentially resulting in operational disruptions and financial losses.

The vulnerabilities are particularly concerning due to their high severity rating of 9.3 on the CVSS v4 scale. Exploitation could lead to severe consequences, including safety hazards and compromised system integrity. The affected systems are primarily those that have not yet applied the latest security patches provided by mySCADA.

Client Impact

Clients utilizing mySCADA myPRO systems are at risk of significant operational disruptions if these vulnerabilities are exploited. Potential impacts include unauthorized access to critical control systems, leading to data breaches, financial losses, and reputational damage. The vulnerabilities could also result in non-compliance with industry regulations, potentially triggering audits or penalties.

For industries reliant on SCADA systems for operational efficiency and safety, such as manufacturing, energy, and utilities, the implications are particularly severe. Ensuring compliance with relevant regulations is crucial, as exploitation of these vulnerabilities could lead to regulatory challenges and increased scrutiny from oversight bodies.

Mitigations

To mitigate the risks associated with these vulnerabilities, clients should take the following actions:

  1. Apply the latest patches for mySCADA PRO Manager 1.3 and mySCADA PRO Runtime 9.2.1 to address the identified vulnerabilities.
  2. Implement network segmentation to isolate SCADA systems from IT networks, reducing the risk of unauthorized access.
  3. Enforce strong authentication measures to enhance access control and prevent unauthorized entry.
  4. Monitor network traffic for suspicious activity that may indicate attempted exploitation of these vulnerabilities.
  5. Conduct regular security assessments and penetration testing to identify and address potential weaknesses in SCADA systems.

By taking these steps, organizations can significantly reduce their exposure to these vulnerabilities and enhance their overall security posture. It is essential to remain vigilant and proactive in addressing potential threats to maintain operational integrity and compliance with industry standards.

1898 & Co. Response

1898 & Co is actively addressing the current threat landscape by offering specialized services tailored to mitigate risks associated with SCADA system vulnerabilities. Our team provides thorough security assessments and patch management solutions to ensure clients' systems are protected against known threats like those affecting mySCADA myPRO.

We have updated our security protocols to incorporate the latest threat intelligence and best practices for SCADA system protection. Our collaborative efforts with industry allies and government agencies enhance our ability to deliver timely and effective security solutions.

Ongoing research and threat intelligence gathering activities enable us to stay ahead of emerging threats, ensuring our clients receive the most current and relevant security advice. Our case studies demonstrate successful mitigations of similar vulnerabilities, showcasing our expertise in safeguarding critical infrastructure.

Sources

  1. CISA Security Advisory on mySCADA Vulnerabilities
  2. CVE Details for CVE-2025-20014
  3. CVE Details for CVE-2025-20061
  4. Network Segmentation Best Practices