PatchSiren cyber security CVE debrief
CVE-2025-20061 mySCADA CVE debrief
A critical command injection vulnerability in mySCADA myPRO Manager and myPRO Runtime allows unauthenticated remote attackers to execute arbitrary commands on affected systems. The flaw stems from improper neutralization of POST requests containing email information sent to a specific port. With a CVSS 3.1 score of 9.8, this vulnerability presents severe risk to industrial control environments due to its network-exploitable nature, low attack complexity, and no required privileges or user interaction. The affected products are myPRO Manager versions prior to 1.3 and myPRO Runtime versions prior to 9.2.1. CISA published advisory ICSA-25-023-01 on January 23, 2025, coordinating disclosure with the vendor. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Organizations should prioritize patching to myPRO Manager 1.3 or myPRO Runtime 9.2.1 and implement network segmentation to limit exposure of ICS assets.
- Vendor
- mySCADA
- Product
- myPRO Manager
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-01-23
- Original CVE updated
- 2025-01-23
- Advisory published
- 2025-01-23
- Advisory updated
- 2025-01-23
Who should care
Industrial control system operators, critical infrastructure security teams, SCADA engineers, OT security architects, and organizations using mySCADA myPRO products for process control and monitoring
Technical summary
The vulnerability exists due to improper input validation when processing POST requests containing email information on a specific port. An attacker can craft malicious requests to inject and execute arbitrary operating system commands with the privileges of the myPRO service. The attack requires no authentication and can be executed remotely over the network. Affected versions include myPRO Manager prior to 1.3 and myPRO Runtime prior to 9.2.1. The vendor has released patched versions that properly neutralize malicious input.
Defensive priority
critical
Recommended defensive actions
- Update mySCADA myPRO Manager to version 1.3 or later
- Update mySCADA myPRO Runtime to version 9.2.1 or later
- Restrict network access to myPRO management interfaces to authorized administrative hosts only
- Implement network segmentation to isolate ICS/SCADA systems from untrusted networks
- Monitor for anomalous POST requests to myPRO services containing email-related parameters
- Apply defense-in-depth strategies per CISA ICS recommended practices
Evidence notes
Vulnerability description and affected product versions derived from CISA CSAF source. CVSS vector confirms network attack vector with no privileges required. Remediation guidance specifies exact patched versions.
Official resources
-
CVE-2025-20061 CVE record
CVE.org
-
CVE-2025-20061 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Coordinated disclosure via CISA ICS advisory ICSA-25-023-01 published January 23, 2025