CISA Issues Critical ICS Advisories for Rockwell Automation and YoSmart Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released three new advisories and updated an existing one on Tuesday, highlighting significant vulnerabilities in industrial control systems (ICS) from Rockwell Automation and YoSmart. The advisories address risks in critical manufacturing and global communications sectors, with potential impacts ranging from denial-of-service (DoS) conditions to unauthorized device control.
Rockwell Automation Vulnerabilities
-
CVE-2025-9368 (CVSS 7.5)
- Affects Rockwell Automation 432ES-IG3 Series A devices, specifically the GuardLink EtherNet/IP Interface.
- The flaw stems from uncontrolled resource allocation, allowing attackers to trigger a DoS condition requiring a manual power cycle to restore functionality.
- Mitigation: Users should upgrade to V2.001.9 or later; those unable to update should follow Rockwell’s security best practices.
-
CVE-2025-12807 (CVSS 8.8)
- Impacts FactoryTalk DataMosaix Private Cloud (versions 7.11, 8.00, and 8.01).
- The vulnerability involves SQL injection, enabling low-privilege users to execute unauthorized database operations via exposed API endpoints.
- Mitigation: Update to Version 8.01.02 or later.
YoSmart YoLink Smart Hub Vulnerabilities
Multiple flaws were identified in the YoSmart YoLink ecosystem, affecting the Smart Hub, server, and mobile application (CVE-2025-59448, CVE-2025-59449, CVE-2025-59451, CVE-2025-59452), with a CVSS score of 5.8.
-
Exploitation Risks:
- Remote device control of other users’ smart home devices.
- Session hijacking and sensitive data interception due to weak authorization controls and predictable device IDs.
- Cleartext transmission of data via unencrypted MQTT, exposing communications to interception or tampering.
- Long-lived session tokens in the mobile app, increasing the risk of unauthorized access.
-
Technical Details:
- The YoLink MQTT broker (through 2025-10-02) lacks sufficient authorization checks, allowing cross-account attacks if device IDs are obtained.
- Device IDs are predictable, enabling attackers to gain control over any YoLink user’s devices.
- API endpoints use MD5 hashing of non-secret data (e.g., MAC addresses), further weakening security.
CISA’s Recommendations
While no active exploitation has been reported, CISA advises organizations to:
- Minimize network exposure for ICS devices, ensuring they are not internet-accessible.
- Isolate control systems behind firewalls and separate them from business networks.
- Use secure remote access methods, such as updated VPNs, when necessary.
- Conduct risk assessments before deploying defensive measures.
The advisories underscore ongoing risks in ICS environments, particularly in critical infrastructure sectors. Organizations are urged to apply patches and follow CISA’s Defense-in-Depth Strategies for proactive cybersecurity.
Güralp Systems TPRM report: https://www.rankiteo.com/company/guralp-systems
Rockwell Automation TPRM report: https://www.rankiteo.com/company/rockwell-automation
YoSmart TPRM report: https://www.rankiteo.com/company/yosmart-yolink
"id": "gurrocyos1768400893",
"linkid": "guralp-systems, rockwell-automation, yosmart-yolink",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Industrial Automation',
'location': 'Global',
'name': 'Rockwell Automation',
'type': 'Corporation'},
{'industry': 'Smart Home/IoT',
'location': 'Global',
'name': 'YoSmart',
'type': 'Corporation'},
{'industry': 'Critical Manufacturing',
'location': 'Global',
'name': 'Critical Manufacturing Sector',
'type': 'Sector'},
{'industry': 'Communications',
'location': 'Global',
'name': 'Global Communications Sector',
'type': 'Sector'}],
'attack_vector': ['Network',
'API Exploitation',
'Predictable Identifiers',
'Cleartext Transmission'],
'data_breach': {'data_encryption': 'Lacking (cleartext MQTT transmission)',
'data_exfiltration': 'Possible (via MQTT traffic '
'interception)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, device control access)',
'type_of_data_compromised': ['Database operations',
'Session tokens',
'Device identifiers']},
'date_publicly_disclosed': '2025-10-08',
'description': 'CISA published three ICS advisories and updated an earlier '
'one, warning about vulnerabilities in Rockwell Automation and '
'YoSmart equipment. The advisories detail security issues '
'leading to denial-of-service conditions, unauthorized '
'database operations, and remote control of smart home '
'devices.',
'impact': {'data_compromised': ['Sensitive database operations',
'Personally identifiable information',
'Session tokens'],
'downtime': 'Manual power cycle required for recovery (Rockwell '
'Automation 432ES-IG3 Series A)',
'identity_theft_risk': 'High (due to PII exposure)',
'operational_impact': ['Denial-of-service condition',
'Unauthorized control of smart home '
'devices'],
'systems_affected': ['Rockwell Automation 432ES-IG3 Series A',
'Rockwell Automation FactoryTalk DataMosaix '
'Private Cloud',
'YoSmart YoLink Smart Hub',
'YoLink Mobile Application']},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': ['Patch vulnerable systems',
'Enforce proper '
'authorization controls',
'Encrypt sensitive '
'communications',
'Implement network '
'segmentation',
'Enhance monitoring'],
'root_causes': ['Improper resource allocation '
'(CVE-2025-9368)',
'SQL injection vulnerability '
'(CVE-2025-12807)',
'Incorrect authorization controls '
'(CVE-2025-59449)',
'Predictable device IDs '
'(CVE-2025-59451)',
'Cleartext transmission '
'(CVE-2025-59452)',
'Long-lived session tokens '
'(CVE-2025-59448)']},
'recommendations': ['Update affected products to patched versions',
'Minimize network exposure for control systems',
'Isolate control system networks behind firewalls',
'Use secure remote access methods (VPNs)',
'Implement defense-in-depth strategies',
'Perform impact analysis and risk assessment before '
'deploying defensive measures'],
'references': [{'date_accessed': '2025-10-08',
'source': 'CISA',
'url': 'https://www.cisa.gov/ics'},
{'source': 'Rockwell Automation',
'url': 'https://www.rockwellautomation.com'},
{'source': 'Bishop Fox'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA advisories '
'published'},
'response': {'containment_measures': ['Update to patched versions (Rockwell '
'Automation 432ES-IG3 Series A V2.001.9 '
'or later, FactoryTalk DataMosaix '
'Private Cloud V8.01.02 or later)',
'Follow security best practices '
'(Rockwell Automation)',
'Minimize network exposure for control '
'systems',
'Isolate control system networks behind '
'firewalls',
'Use secure remote access methods '
'(VPNs)'],
'enhanced_monitoring': 'Recommended',
'network_segmentation': 'Recommended',
'remediation_measures': ['Apply vendor-provided patches',
'Enforce proper authorization controls',
'Encrypt sensitive communications']},
'stakeholder_advisories': 'CISA advisories published for critical '
'manufacturing and communications sectors',
'title': 'CISA Publishes Advisories on Vulnerabilities in Rockwell Automation '
'and YoSmart Products',
'type': ['Denial-of-Service',
'SQL Injection',
'Unauthorized Access',
'Session Hijacking'],
'vulnerability_exploited': ['CVE-2025-9368 (Resource Allocation Without '
'Limits)',
'CVE-2025-12807 (SQL Injection)',
'CVE-2025-59449 (Incorrect Authorization)',
'CVE-2025-59451 (Predictable Identifiers)',
'CVE-2025-59452 (Cleartext Transmission)',
'CVE-2025-59448 (Session Token Lifetimes)']}