Cybersecurity researchers have recently disclosed two critical vulnerabilities in mySCADA myPRO, a widely used Supervisory Control and Data Acquisition (SCADA) system in operational technology (OT) environments. These flaws, if exploited, could allow attackers to take control of affected industrial control systems, posing serious risks to operational integrity and security.
According to Swiss cybersecurity firm PRODAFT, the vulnerabilities—both rated 9.3 on the CVSS v4 scoring system—could potentially grant unauthorized access to industrial control networks, leading to operational disruptions, financial losses, and even safety hazards.
Vulnerabilities Identified
The two critical flaws, identified as CVE-2025-20014 and CVE-2025-20061, are both operating system command injection vulnerabilities. They can be triggered through specially crafted POST requests, each targeting different parameters within the system:
- CVE-2025-20014: Targets the version parameter to execute arbitrary commands on the affected system.
- CVE-2025-20061: Exploits the email parameter to inject commands into the system.
By exploiting either of these vulnerabilities, attackers can inject malicious commands and execute arbitrary code, potentially compromising the entire system.
Mitigation and Response
PRODAFT points out that both vulnerabilities stem from a failure to sanitize user inputs, which opens the door for command injection attacks. These issues have been addressed in the following updated versions:
- mySCADA PRO Manager 1.3
- mySCADA PRO Runtime 9.2.1
To mitigate these risks, organizations are urged to implement the latest patches and follow best practices such as network segmentation. Isolating SCADA systems from IT networks, enforcing strong authentication, and continuously monitoring for suspicious activity are also critical steps in enhancing security.
A Wake-Up Call for SCADA Security
These vulnerabilities underscore the ongoing security challenges in SCADA systems. With industrial environments becoming increasingly digital and interconnected, ensuring robust cybersecurity defenses is more important than ever.
Organizations using mySCADA myPRO are strongly advised to apply the latest updates and review their security protocols to safeguard against potential attacks.
