CISA Issues June 2025 ICS Advisories for Critical Industrial Infrastructure Vulnerabilities
On June 24, 2025, CISA released eight new Industrial Control Systems (ICS) advisories (ICSA-25-175-01 through ICSA-25-175-07) and an update to a legacy bulletin highlighting serious vulnerabilities in operational technology systems across critical sectors. These advisories cover various vendors and products used in Transportation, Energy, Manufacturing, and Communications. The vulnerabilities range in severity, with several CVSS v4 scores exceeding 9.0, including flaws that allow unauthenticated remote code execution, path traversal, SQL injection, and authentication bypass. Affected systems include the Kaleris Navis N4 Terminal Operating System, Delta Electronics CNCSoft, Schneider Electric’s Modicon controllers, and EVLink WallBox—some of which have already reached end-of-life status. Systems like ControlID iDSecure and MICROSENS NMP Web+ also harbor exploitable flaws, including hardcoded credentials and server-side request forgery. CISA warns that failure to patch or mitigate these issues could lead to significant operational disruptions and security breaches. These threats are particularly urgent for sectors where outdated industrial systems are still widely deployed. The advisories strongly recommend immediate patching wherever updates are available and replacing unsupported products with modern, secure alternatives. In cases where patching is not possible, organizations are urged to implement network segmentation, enforce strict access controls, and deploy intrusion detection systems to monitor for signs of compromise. The range of affected sectors emphasizes how deeply embedded these vulnerable systems are in national infrastructure. Remote code execution vulnerabilities pose a serious risk of sabotage or data exfiltration if exploited. By issuing this coordinated set of alerts, CISA aims to help administrators in critical environments proactively defend their systems. As cyber threats increasingly target industrial systems, timely patch management, and layered defenses are no longer optional—they are essential for operational resilience.
Memory Safe Languages: Proactive Defense Against Persistent Software Vulnerabilities
In June 2025, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) jointly published a landmark report titled "Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development." The guidance addresses one of the most enduring and impactful classes of software vulnerabilities—those caused by memory safety issues. Historical incidents like Heartbleed and BadAlloc illustrate how memory management flaws have caused widespread security breaches across consumer and critical infrastructure systems. The report highlights that memory safety flaws accounted for up to 75% of CVEs used in real-world exploits, with operating systems like iOS and macOS seeing similar patterns. To mitigate this, the document advocates the widespread adoption of memory-safe languages (MSLs) like Rust, Go, Swift, and Java, which embed safety mechanisms directly into their architecture. These languages inherently prevent common issues like buffer overflows, use-after-free conditions, and data races by design. The goal is to shift security left in the development cycle, moving from reactive vulnerability patching to proactive risk elimination at the language level. Technically, MSLs achieve memory safety through mechanisms like automatic bounds checking, garbage collection, and strict ownership models. Bounds checking prevents buffer overflows by ensuring that programs cannot access memory outside allocated limits. These protections reduce the reliance on manual memory management, which is error-prone and the root cause of many vulnerabilities. MSLs also include concurrency safety measures to prevent race conditions in multi-threaded applications, further improving program stability and resilience. A key case study from Android showed that prioritizing MSLs reduced memory safety vulnerabilities from 76% in 2019 to just 24% by 2024. CISA and NSA’s push for secure-by-design principles, backed by these technical benefits, marks a pivotal step toward long-term vulnerability reduction across software ecosystems.
OneClik APT Campaign Exploits Microsoft ClickOnce and Cloud Infrastructure to Target Energy Sector
The OneClik malware campaign is a sophisticated, long-running cyber espionage operation uncovered by Trellix in 2025, targeting the Energy, Oil, and Gas sectors, with observed activity dating back to September 2023. The campaign abuses Microsoft’s ClickOnce deployment technology, a [.]NET-based framework typically used for self-updating applications, to execute malware under the guise of trusted system processes. Attackers distribute phishing emails containing links to fake “hardware analysis” websites hosted on Azure Blob Storage. These sites trick users into downloading a [.]application manifest file that initiates a silent installation of OneClikNet, a custom [.]NET loader. This loader hijacks application behavior using AppDomainManager tampering, enabling the execution of a second-stage payload—RunnerBeacon—before any legitimate application code runs. RunnerBeacon is a modular backdoor written in Golang that supports interactive shell commands. Communication is hidden within AWS services, including CloudFront, API Gateway, and Lambda, allowing the malware to evade traditional perimeter defenses. The campaign unfolds in multiple ClickOnce [.]NET versions—v1a, BPI-MDM, and v1d—each incorporating progressively advanced evasion and anti-analysis techniques. While Trellix has not officially attributed the activity, tooling, targeting, and tradecraft overlaps suggest links to Chinese-affiliated threat actors like APT41. The deliberate abuse of legitimate [.]NET features and cloud-native services demonstrates a deep understanding of modern enterprise environments, indicating an advanced persistent threat focused on long-term access and surveillance. Defenders are urged to apply strict controls over ClickOnce usage, enhance cloud traffic inspection, and adopt behavioral analytics to detect these stealthy techniques before they result in data theft or operational disruption.
Kubernetes Vulnerability Could Let Malicious Nodes Gain Unauthorized Access in Certain Setups
A newly disclosed vulnerability in Kubernetes (CVE-2025-4563) affects how the system handles resource access in specific configurations. The issue lies within the NodeRestriction admission controller, which is supposed to enforce security rules during pod creation. However, when a Dynamic Resource Allocation feature is turned on, Kubernetes does not properly verify if a node can access the requested resources. This creates a loophole where a compromised node could potentially create special “mirror pods” to access resources it shouldn’t be able to, effectively giving it more control than intended. Fortunately, this vulnerability only impacts clusters using static pods and the Dynamic Resource Allocation feature, which is disabled by default. Versions of the Kubernetes API server affected include 1.32.0 through 1.32.5 and 1.33.0 through 1.33.1. While the issue has been rated low severity (CVSS 2.7), it still poses a security risk in high-trust environments or edge deployments where these configurations are more common. To stay protected, administrators should immediately update Kubernetes to version 1.32.6 or 1.33.2, where the problem has been fixed. If updating isn’t possible right away, it’s strongly recommended to disable the Dynamic Resource Allocation feature manually through the system’s configuration. Admins can also run simple checks using standard Kubernetes tools to see if their clusters use static pods or dynamic resource claims, indicating potential exposure. It's important to note that most cloud-based Kubernetes services—like Azure Kubernetes Service (AKS)—are unaffected since they don’t enable this feature by default. Still, for organizations managing their own Kubernetes infrastructure, especially in hybrid or custom setups, this flaw underscores the importance of regular security reviews and staying current with updates, even when a vulnerability is considered “low” in severity. Even minor oversights can become pathways for privilege escalation in the right conditions.
