Late last week, Microsoft's IoT security research group put industrial network operators on notice about 25 vulnerabilities in widely used software development kits and C-standard libraries found in embedded devices, industrial control systems, and operational technology networks.
Microsoft nicknames this class of memory allocation vulnerabilities affecting these so-called real-time operating systems, BadAlloc. The reference is to the use of vulnerable memory functions in these embedded systems, including malloc, calloc, realloc, memalign, valloc, pvalloc, and others, Microsoft said.
A threat actor can use these vulnerabilities to bypass existing security controls and run malicious code or crash industrial processes and systems. Microsoft said these memory allocation implementations lack proper input validation, which would hamper an attacker's ability to perform heap overflow attacks and run code of their choice on an industrial IoT device, OT network, or control system.
Microsoft adds that it is not aware of publicly available exploits for these vulnerabilities. ICS-CERT, meanwhile, has published an extensive advisory that includes a list of affected products, versions, and whether updates are available for the respective affected product; many products have been patched, while others are either no longer supported, or updates are forthcoming.
Below is a list of affected products, courtesy of ICS-CERT:
Product | Update |
Amazon FreeRTOS | Update available |
Apache Nuttx OS Version 9.1.0 | Update available |
ARM CMSIS-RTOS2 | Update in progress, expected in June |
ARM Mbed OS | Update available |
ARM mbed-uallaoc | No longer supported, and no fix will be issued. |
Cesanta Software mongooses | Update available |
eCosCentric eCosPro RTOS | Update to Versions 4.5.4 and newer – Update available |
Google Cloud IoT Device SDK | Update available |
Media Tek LinkIt SDK | MediaTek will provide the update to users. No fix for free version, as it is not intended for production use. |
Micrium OS | Update to v5.10.2 or later – Update available |
Micrium uCOS-II/uCOS-III | Update to v1.39.1 – Update not yet released |
NXP MCUXpresso SDK | Update to 2.9.0 or later |
NXP MQX | Update to 5.1 or newer – Update available |
Redhat Newlib | Update available |
RIOT OS | Update available |
Samsung Tizen RT RTOS | Update available |
TencentOS-tiny | Update available |
Texas Instruments CC32XX | Update to v4.40.00.07 |
Texas Instruments SimpleLink CC13X0 | Update to v4.10.03; Update not yet released |
Texas Instruments SimpleLink CC13X2-CC26X2 | Update to v4.40.00; Update not yet released |
Texas Instruments SimpleLink CC2640R2 | Update to v4.40.00; Update not yet released |
Texas Instruments SimpleLink MSP432E4 | Confirmed. No update currently planned. |
uClibc-ng | Update available |
WindRiver VxWorks | Update in progress |
Real-time operating systems (RTOS) are pervasive, not only inside embedded systems, including industrial IoT devices, but also in critical Purdue Model Level 1 and 2 gear such as programmable logic controllers (PLCs), remote terminal units (RTUs), and human machine interfaces (HMIs).
They are so-called because, unlike more conventional operating systems, the scheduler inside a RTOS is predictable, ensuring capabilities are available within a particular time allocation (usually measured in tenths of a second). Embedded systems—including industrial control systems—have such requirements and must be responsive within a defined deadline, otherwise, for example, production systems may fail because a robot would be late in responding.
Most RTOS within PLCs, for example, interpret the ladder logic that programs the controller. In manufacturing environments, PLCs must operate in as close to real time as possible, and the RTOS ensures that functionality; they provide deterministic responses to external events. On the contrary, Windows and UNIX operating systems stay responsive to user inputs.
RTOS's power is in its scheduler, affording operators the ability to prioritize critical processing. RTOS' also have smaller code bases, and because of the way they run are efficient and easier to maintain. Operators have flexibility in choosing from numerous open source RTOS, and many are safety certified, a key consideration in industrial environments.
All of this compounds the seriousness of last week's announced vulnerabilities. The BadAlloc class of integer overflow vulnerabilities are not complicated, yet are severe (CVSS v3 scores of 9.8) and can be attacked remotely. Their existence amplifies several hallmarks of IoT insecurity, that include a lack of modern safeguards for memory allocation overflows.
In industrial environments with substantial legacy software and equipment, this can introduce additional risk for a number of reasons, including an intolerance for the downtime required to update systems, some devices that cannot be reached, or lack an update mechanism altogether. Some organizations may also lack innate security resources and cybersecurity may be a secondary responsibility for an OT network operator, for example. In that case, there could be a lack of awareness and visibility into vulnerabilities within their environment.
ICS-CERT, meanwhile, has published a number of mitigations:
Users should monitor the ICS-CERT advisory for updates from affected vendors. While many have already provided updates, have updates in progress, or no longer support vulnerable RTOS versions that will not be updated.
ICS-CERT advises segmenting control system networks from business networks, and not connecting them directly to the internet.
Control system networks and remote devices should be located behind firewalls.
ICS-CERT also recommends updated VPNs for remote access.
CWE-284 IMPROPER ACCESS CONTROL
Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of PHP modules.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 7.5
CWE-35 PATH TRAVERSAL:
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in PHP resulting in a remote code execution.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 8.8
CWE-434 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 8.8
CWE-98 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM ('PHP REMOTE FILE INCLUSION')
An unauthenticated remote attacker can execute arbitrary PHP files and gain full access of the affected devices.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 9.8
CWE-305 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 9.8
