[VULNERABILITY ALERT] Major ICS manufacturers such as Siemens, Schneider Electric, and Aveva released multiple security patch announcements for their ICS products in January 2026

• Subject: [VULNERABILITY ALERT] Major ICS manufacturers such as Siemens, Schneider Electric, and Aveva released multiple security patch announcements for their ICS products in January 2026

• Content Description:
  • Forwarded from National Information Sharing and Analysis Center (NISAC) Security Alert NISAC-200-202601-00000294
  • Major ICS manufacturers such as Siemens, Schneider Electric, and Aveva have successively released multiple security patch announcements for their ICS products in January 2026.
• Affected Platforms:
  • #Siemens
  • CVE-2025-40942 Siemens TeleControl Server Basic
  • CISA CVE-2025-40944 Siemens SIMATIC and SIPLUS products
  • CISA CVE-2025-40935 Siemens RUGGEDCOM ROS
  • CISA CVE-2025-40830, CVE-2025-40831 Siemens SINEC Security Monitor
  • CISA CVE-2025-40891, CVE-2025-40892, CVE-2025-40893, CVE-2025-40898 Siemens RUGGEDCOM APE1808 Devices
  • CISA CVE-2025-40805 Siemens Industrial Edge Devices
  • CISA CVE-2025-40805 Siemens Industrial Edge Device Kit
  • #Schneider Electric
  • CVE-2025-13844, CVE-2025-13845 Schneider Electric EcoStruxure Power Build Rapsody
  • CISA CVE-2018-12130 Schneider Electric EcoStruxure Foxboro DCS
  • CISA CVE-2022-4046, CVE-2023-28355, CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385, CVE-2022-47392, CVE-2022-47393, CVE-2022-47391, CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550, CVE-2023-37551, CVE-2023-37552, CVE-2023-37553, CVE-2023-37554, CVE-2023-37555, CVE-2023-37556, CVE-2023-37557, CVE-2023-37558, CVE-2023-37559, CVE-2023-3662, CVE-2023-3663, CVE-2023-3669, CVE-2023-3670 Schneider Electric devices using CODESYS Runtime
  • CISA CVE-2025-13905 Schneider Electric EcoStruxure Process Expert
  • #Aveva
  • CVE-2025-61937, CVE-2025-64691, CVE-2025-61943, CVE-2025-65118, CVE-2025-64729, CVE-2025-65117, CVE-2025-64769 AVEVA Process Optimization
• Recommended Actions:
  • If it is confirmed that you own the affected equipment, it is recommended to follow the detailed guidelines in the original manufacturer's announcement to complete the corresponding repairs or protection measures without affecting the operation of the equipment, so as to prevent attackers from using known vulnerabilities to enter the system.
• Reference Material:
  1. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-03
  2. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-04
  3. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-05
  4. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-06
  5. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-07
  6. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-08
  7. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-09
  8. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-10
  9. https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-01
  10. https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-02
  11. https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-01
  12. https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01

Computer and Communication Center
Network Systems Division, Respectfully