Cybersecurity firm PRODAFT has identified two critical OS command injection vulnerabilities in mySCADA myPRO Manager, a widely used SCADA management system. These flaws (CVE-2025-20014 and CVE-2025-20061), rated 9.3 on the CVSS v4 scale, allow remote attackers to execute arbitrary commands, posing a severe risk to industrial control networks. The vulnerabilities stem from improper input sanitization in myPRO Manager versions before 1.3 and myPRO Runtime versions before 9.2.1.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously flagged similar vulnerabilities in mySCADA hardware, warning that exploitation could impact sectors like energy, transportation, and water systems. Organizations are urged to patch affected systems, implement network segmentation, enforce strong authentication (including MFA), and deploy monitoring tools like IDS and SIEM.

The discovery underscores the persistent security risks in SCADA systems and the need for proactive defense strategies. This comes as Palo Alto Networks recently disclosed multiple SCADA vulnerabilities, further emphasizing the growing cybersecurity threats in industrial control environments.

‍

Source: https://industrialcyber.co/vulnerabilities/prodaft-detects-high-severity-flaws-in-myscada-mypro-manager-warns-of-industrial-network-breaches/