Post Request Command Injection in mySCADA myPRO by mySCADA
CVE-2025-20061

9.3CRITICAL

Key Information:

Vendor: Myscada
Status: Mypro Manager; Mypro Runtime
Vendor: CVE Published:; 29 January 2025

Summary

mySCADA myPRO fails to properly validate and sanitize POST requests sent to specific ports, particularly those containing email information. This oversight could allow an attacker to send crafted requests that manipulate the system, leading to the execution of arbitrary commands. This vulnerability underscores the importance of implementing robust input validation mechanisms to protect against potential exploitation.

Affected Version(s)

myPRO Manager 0 < 1.3

myPRO Runtime 0 < 9.2.1

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-0...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 29, 2025
Vulnerability Reserved
Jan 14, 2025

Credit

Mehmet INCE from PRODAFT.com working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.