Critical mySCADA vulnerabilities threaten industrial control systems

Researchers have found two critical flaws in the mySCADA myPRO system, which is used in industrial control environments. These flaws could allow attackers to take control of affected systems from a distance. The vulnerabilities have a high severity rating of 9.3 on the CVSS scoring system. The flaws, identified as CVE-2025-20014 and CVE-2025-20061, both involve command injection vulnerabilities. This means that attackers could execute arbitrary commands on the system by sending specially crafted POST requests. These could include commands disguised as version or email parameters. If these vulnerabilities are exploited, they could lead to significant operational disruptions and financial losses for organizations using mySCADA myPRO. The issues have been fixed in the latest versions, mySCADA PRO Manager 1.3 and mySCADA PRO Runtime 9.2.1. Researchers from PRODAFT stress the importance of addressing these vulnerabilities. They highlight that a lack of proper user input sanitization allows this kind of attack. Organizations are advised to apply patches immediately, isolate SCADA systems from IT networks, enforce strong authentication measures, and monitor for any suspicious activity.