Open AI Sam Altman predicts brain implants will lead to humans and tech merging.

The Pebble Time 2 and Pebble 2 Duo already seem like the wearables you want if you can’t stand other smartwatches.

The crypto market is on fire again, but the fuel isn’t coming from social media hype. It’s coming from institutional investors making a massive bet that the Federal Reserve is about to make money cheap again.

Juneau might see its third record-breaking flood in three years.

Mercedes is debuting its next electric van at Monterey Car Week.

CISA, along with the National Security Agency, the Federal Bureau of Investigation, Environmental Protection Agency, and several international partners, released comprehensive guidance to help operational technology (OT) owners and operators across all critical infrastructure sectors create and maintain OT asset inventories and supplemental taxonomies. 

An asset inventory is a regularly updated, structured list of an organization’s systems, hardware, and software. It includes a categorization system—a taxonomy—that classifies assets based on their importance and function. This guidance explains how OT owners and operators can create, maintain, and use asset inventories and taxonomies to identify and safeguard their critical assets. 

Following this guidance, organizations may gain deeper insights into their architecture, optimize their defenses, better assess and reduce cybersecurity risk in their environments, and enhance incident response planning to ensure service continuity.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Santesoft
• Equipment: Sante PACS Server
• Vulnerabilities: Path Traversal, Double Free, Cleartext Transmission of Sensitive Information, Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to create arbitrary files, cause a denial-of-service condition, obtain sensitive information, and steal a user’s cookie information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Santesoft products are affected:

• Sante PACS Server: Versions prior to 4.2.3

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Sante PACS Server Web Portal allows remote attackers utilize DCM files to create arbitrary files on affected installations of Sante PACS Server.

CVE-2025-0572 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-0572. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.2 DOUBLE FREE CWE-415

The Sante PACS Server allows a remote attacker to crash the main thread by sending a crafted HL7 message, causing a denial-of-service condition. The application would require a manual restart and no authentication is required.

CVE-2025-53948 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53948. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The Sante PACS Server Web Portal sends credential information without encryption.

CVE-2025-54156 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-54156. A base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Sante PACS Server web portal is vulnerable to stored cross-site scripting. An attacker could inject malicious HTML codes redirecting a user to a malicious webpage and stealing the user’s cookie.

CVE-2025-54862 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-54862. A base score of 4.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).

3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Sante PACS Server is vulnerable to stored cross-site scripting. An attacker could inject malicious HTML codes redirecting a user to a malicious webpage and stealing the user’s cookie.

CVE-2025-54759 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-54759. A base score of 5.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Cyprus

3.4 RESEARCHER

Chizuru Toyama of TXOne Networks reported these vulnerabilities to CISA.

4. MITIGATIONS

Santesoft recommends users update PACS Server to Version 4.2.3 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• August 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: Ashlar-Vellum
• Equipment: Cobalt, Xenon, Argon, Lithium, Cobalt Share
• Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information and execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Ashlar-Vellum products are affected:

• Cobalt: All versions prior to 12.6.1204.204
• Xenon: All versions prior to 12.6.1204.204
• Argon: All versions prior to 12.6.1204.204
• Lithium: All versions prior to 12.6.1204.204
• Cobalt Share: All versions prior to 12.6.1204.204

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing CO files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2025-53705 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53705. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS READ CWE-125

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing AR files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2025-41392 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-41392. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing XE files. This could lead to a heap-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2025-52584 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-52584. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 HEAP-BASED BUFFER OVERFLOW CWE-122

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing VC6 files. This could lead to a heap-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2025-46269 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CCVE-2025-46269. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Ashlar-Vellum recommends users update to Versions 12.6.1204.204 and above of the affected products.

• Ashlar-Vellum strongly recommends that all users update Cobalt, Xenon, Argon, Lithium, and Cobalt Share to the latest supported version by selecting Help > Check Web for Updates from the application’s main menu.
• Users should only open CO/XE/AR/LI files or import supported file formats from trusted sources.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. This these vulnerabilities is are not exploitable remotely.

5. UPDATE HISTORY

• August 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: AVEVA
• Equipment: PI Integrator
• Vulnerabilities: Unrestricted Upload of File with Dangerous Type, Insertion of Sensitive Information into Sent Data

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, or upload and execute files.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following AVEVA products are affected:

• PI Integrator for Business Analytics: Versions 2020 R2 SP1 and prior.

3.2 VULNERABILITY OVERVIEW

3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to create or access publication targets of type Text File or HDFS) to upload and persist files that could potentially be executed.

CVE-2025-54460 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-54460. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H).

3.2.2 INSERTION OF SENSITIVE INFORMATION INTO SENT DATA CWE-201

The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to access publication targets) to retrieve sensitive information that could then be used to gain additional access to downstream resources.

CVE-2025-41415 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-41415. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Information Technology, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

Maxime Escourbiac, Michelin CERT, and Adam Bertrand, Abicom for Michelin CERT reported these vulnerabilities to AVEVA.

AVEVA reported these vulnerabilities to CISA.

4. MITIGATIONS

AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users of affected product versions should apply security updates to mitigate the risk of exploit.

• Upgrade to PI Integrator for Business Analytics 2020 R2 SP2 or higher.
• From [OSISoft Customer Portal](PI Integrator for Business Analytics), search for “PI Integrator for Business Analytics” and select version 2020 R2 SP2 or higher.

Additionally, AVEVA recommends the following general defensive measures:

• Audit assigned permissions to ensure that only trusted users are given access rights to publication targets: https://docs.aveva.com/bundle/pi-integrator-for-business-analytics/page/1013185.html
• Ensure publication targets of type Text File or HDFS are configured to limit allowed output file extensions and limit output folders to be logically isolated from critical system components or executable paths:
• https://docs.aveva.com/bundle/pi-integrator-for-business-analytics/page/1023019.html
• https://docs.aveva.com/bundle/pi-integrator-for-business-analytics/page/1023009.html
• Consider applying Windows Defender Application Control (WDAC) to prevent execution of unauthorized executables: https://learn.microsoft.com/en-us/intune/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• August 12, 2025: Initial Republication of AVEVA-2025-004