The Cybersecurity and Infrastructure Security Agency dropped five fresh Industrial Control Systems advisories on September 4, 2025, each one pressing Windows administrators and operational technology teams to patch now or tighten their networks—before attackers turn these bugs into bricked production lines. The latest batch hits four major vendors—Honeywell, Mitsubishi Electric/ICONICS, Delta Electronics, and a rail-transport protocol—and covers a range of flaws from remote code execution to authentication bypasses. For the Windows shop supporting supervisory and engineering workstations, these aren’t someone else’s problem: every exploited vulnerability here starts or ends on a Microsoft OS.

The advisories at a glance

CISA’s roundup includes five entries, though one advisory code for Honeywell’s OneWireless WDM could not be independently verified at publication time. The confirmed advisories and their core products are:

  • ICSA-25-217-01 – Mitsubishi Electric / ICONICS Digital Solutions Multiple Products (GENESIS64, MC Works64) – Update A
  • ICSA-25-105-07 – Delta Electronics COMMGR – Update A
  • ICSA-25-205-03 – Honeywell Experion PKS – Update A
  • ICSA-25-191-10 – End-of-Train / Head-of-Train Remote Linking Protocol – Update B
  • A fifth advisory, historically documented for Honeywell OneWireless Wireless Device Manager, was referenced in community discussions under the unconfirmed code ICSA-25-247-01; however, the underlying technical issues overlap with Experion PKS disclosures and vendor patch guidance exists.

Together, these notices span memory corruption, weak cryptography, missing authentication, and protocol-level design flaws. CVSS scores range from high to critical, and several vulnerabilities are remotely exploitable with low complexity.

Deep dive: what each advisory means for your environment

Mitsubishi Electric / ICONICS – .LNK tampering (CVE-2025-7376)

GENESIS64 and MC Works64—widely deployed human-machine interface and supervisory platforms—run on Windows and often with elevated privileges. CISA documents a Windows shortcut‑following vulnerability that allows a local, low‑privilege attacker to create symbolic links that trick an elevated process into writing arbitrary files. The endgame: denial‑of‑service or file corruption that could cripple an operator’s view of a process. CVE-2025-7376 carries a CVSS v3.1 high score, though v4 scoring drops a notch because local user interaction is required. Still, after an initial foothold—phishing, a trojanized installer, or lateral movement—the flaw becomes a reliable privilege escalation vector.

Mitigations:
- Upgrade GENESIS to version 11.01 or vendor‑supplied patch.
- Restrict remote access and enforce administrative logins on ICS engineering hosts.
- Apply strict file permissions; prevent non‑admin users from writing to application directories.

For the Windows admin, the .LNK behavior is a sharp reminder that OS hardening alone isn’t enough. Application installs that embed shortcuts—and the services that follow them—must be audited and locked down.

Delta Electronics COMMGR – weak PRNG breaks authentication (CVE-2025-3495)

COMMGR’s virtual PLC simulator exposes a management interface that relies on a cryptographically weak pseudo‑random number generator for session IDs. An attacker can brute‑force valid session tokens and bypass authentication entirely, leading to remote code execution on the AS3000Simulator family. CISA assigns CVSS v4 score of 9.3 (remote, low complexity). The flaw was reported via Trend Micro’s Zero Day Initiative.

Operational risk: Many sites place COMMGR on broader enterprise subnets for programming convenience. The default listening port (typically TCP 8895) then becomes an open door from the IT network.

Mitigations:
- Apply vendor fixes for COMMGR v2; COMMGR v1 is end‑of‑life and must be isolated.
- Block inbound access to simulator ports with firewall ACLs.
- Never expose programming interfaces to untrusted networks.

Honeywell Experion PKS – multiple memory‑handling bugs (CVE-2025-2520, CVE-2025-2521, CVE-2025-2523)

Honeywell’s distributed control system suffers from uninitialized variables, buffer issues, and an integer underflow that can lead to remote code execution. Positive Technologies reported the flaws; CISA lists multiple high‑severity CVEs, with one integer underflow rated CVSS v4 9.4. The advisory recommends hotfix bundles for specific release branches (R520.2 TCU9 HF1 or R530 TCU3 HF1).

Experion PKS runs deep in chemical, energy, and water plants. A successful exploit could cause operational downtime and safety hazards. The patch path, however, is fraught with change control hurdles because DCS uptime is sacred.

Mitigations:
- Stage and accelerate deployment of Honeywell’s hot fixes in a controlled window.
- Segment Experion components from the internet and restrict engineering workstation access.
- If patching is delayed, enforce host‑based firewalls and application whitelisting on the underlying Windows servers.

Honeywell OneWireless WDM – overlapping risk with Experion PKS

OneWireless Wireless Device Manager bridges field device radio networks and the PKS control plane. Past advisories (e.g., ICSA‑23‑075‑06) documented command injection and weak randomness. While a distinct 2025 advisory code remains unconfirmed in public indexes, vulnerability trackers and Positive Technologies have correlated OneWireless component flaws with the Experion PKS disclosures. Vendor guidance directs users to OneWireless versions 322.5/331.1 and complementary PKS patches.

For defenders, the message is clear: treat the wireless gateway as a high‑priority pivot point; an attacker who compromises the WDM can move laterally into the core control system.

End‑of‑Train / Head‑of‑Train protocol – RF authentication bypass (CVE-2025-1727)

This advisory steps outside the traditional IT/OT box. The protocol used to link locomotive head and trailing units relies on a simple BCH checksum; a software‑defined radio can craft packets that impersonate legitimate brake‑control commands. CISA assigns CVE-2025-1727 with CVSS v4 score of 7.2 (weak authentication). The impact is operational and potentially fatal: an attacker with RF access could trigger unexpected braking or disable brake functions.

Mitigations:
- Operators must work with the Association of American Railroads and device manufacturers on a long‑term protocol redesign.
- Short‑term: physical security of RF environments, RF anomaly monitoring, and restricting remote linking to authenticated channels.

This advisory underscores that not all high‑risk ICS issues are software bugs—some are baked into field‑proven communications standards that lack modern security primitives.

Why Windows admins are the linchpin of OT security

The thread tying all five advisories together is Microsoft Windows. Engineering stations, HMIs, historians, and gateway managers—the human endpoints touching these ICS products—nearly all run Windows. CISA’s alerts routinely carry an implicit warning: a compromised Windows host can be the launchpad for attacks on industrial processes.

Common attack patterns seen across the advisories:

  • Low‑privilege initial access: phishing, malicious removable media, or an unpatched IT service provides an entry point.
  • Product‑specific escalation: the attacker then abuses a flaw like ICONICS’ .LNK trick or Delta’s weak session generation to gain higher integrity on the OT application.
  • Lateral movement to control systems: once on a trusted engineering host, the adversary can pivot to PLCs, RTUs, or the DCS controller.

Preventing initial compromise of Windows endpoints is therefore an OT safety control. But that alone is insufficient. The ICONICS .LNK bug shows that even after a patch, the underlying Windows shortcut‑following behavior must be constrained via GPO, application control, and least‑privilege accounts.

Practical remediation checklist for IT and OT teams

The following checklist synthesizes CISA’s recommendations and operational realities discussed in the community:

  1. Inventory and map – Identify every system running GENESIS64/MC Works64, COMMGR, Experion PKS, OneWireless components, and EoT/HoT devices. Record versions and patch status.
  2. Apply vendor fixes – Test in a staging environment and accelerate deployment to production as safety and uptime permit:
    - Honeywell Experion hotfix bundles R520.2 TCU9 HF1 / R530 TCU3 HF1
    - Mitsubishi/ICONICS GENESIS 11.01 or vendor‑provided patch
    - Delta COMMGR fix for v2; isolate v1
  3. Network controls – Block unnecessary inbound traffic to ICS ports from enterprise and internet subnets. Microsegment where possible. Place engineering workstations behind hardened jump hosts with multi‑factor authentication.
  4. Harden Windows hosts
    - Enforce least privilege; remove local admin rights from operator accounts.
    - Disable automatic execution of .LNK files from removable media via GPO.
    - Deploy application allow‑listing (AppLocker or WDAC) for ICS software.
    - Maintain current EDR/AV with OT‑aware telemetry and centralized logging.
  5. Monitor and detect – Tune OT network monitoring, IDS/IPS rules, and SIEM alerts for brute‑force session attempts, unusual .LNK activity, unexpected RF transmissions, and anomalous process behavior.
  6. Plan for legacy – Where vendors do not patch older SKUs, document risk acceptance and implement compensating controls; build a phased replacement roadmap.
  7. Coordinate reporting – Share indicators of compromise with CISA or sector ISACs; monitor vendor PSIRTs for updates.

Critical analysis: strengths, limitations, and hard tradeoffs

Strengths of the CISA advisory process

  • Timely aggregation: CISA turns vendor disclosures into a single, actionable notice, reducing the information debt for operational teams.
  • CVE and scoring integration: CVSS vectors and CVE references simplify risk scoring in enterprise workflow tools.
  • Pragmatic mitigations: When patches aren’t available, CISA emphasizes segmentation, least privilege, and VPN restrictions—measures that work under OT constraints.

Limitations and persistent gaps

  • Patch friction: ICS patches require rigorous operational testing; the exposure window can remain long. Some products, like COMMGR v1, reach end‑of‑life, forcing reliance on compensating controls.
  • Protocol/design flaws: Weak authentication in legacy RF protocols cannot be patched via software alone—it demands standards updates, device replacement, or physical mitigations that are slow and expensive.
  • Visibility gaps: Many OT networks still lack holistic telemetry. Windows teams must partner with OT engineers to gain asset visibility and instrument detection across the IT/OT boundary.

Risk tradeoffs for Windows teams

  • Aggressive Windows patching is essential but not sufficient: attackers increasingly exploit product‑level behaviors beyond the OS. Windows hardening must be paired with application configuration controls and rigorous credential management.
  • Reliance on VPNs as “secure remote access” can breed false confidence. CISA explicitly warns that VPNs are only as secure as the connected host; a compromised engineering workstation nullifies the VPN’s protection.

What operators and security leaders should do next

Treat ICS advisories as enterprise‑level risk items. Assign accountable owners, set remediation SLAs, and document compensating controls when immediate patching is impossible. Increase collaboration between Windows/IT teams and OT engineers through joint vulnerability triage sessions. Invest in ICS visibility and monitoring so you know what normal looks like. Finally, build phased replacement plans for legacy, unpatchable devices and protocol vulnerabilities, and engage vendors and standards bodies where protocol redesign is required.

The September 4, 2025 advisories are not exceptional in their themes—memory corruption, weak cryptography, protocol design flaws have plagued ICS for decades—but their pace and breadth matter. They reiterate an unambiguous message: protecting critical infrastructure demands integrated action across Windows operations, network architecture, vendor management, and OT engineering. Patches are only one part of the solution. For many organizations, the immediate defensive gains come from disciplined inventory, aggressive segmentation, least‑privilege enforcement on Windows engineering hosts, and a clear plan for legacy equipment. CISA’s advisories, together with vendor PSIRTs, ZDI notes, and independent vulnerability trackers, provide the technical roadmap. Execution under real safety and uptime constraints—and aligning Windows hardening with OT controls—will materially reduce exposure to the next wave of exploitation.