Critical security vulnerabilities affecting factory automation software from Mitsubishi Electric and Rockwell Automation could variously allow remote code execution (RCE), authentication bypass, product tampering, or denial-of-service (DoS).

That's according to the US Cybersecurity and Infrastructure Security Agency (CISA), which warned yesterday that an attacker could exploit the Mitsubishi Electric bug (CVE-2023-6943, CVSS score of 9.8) by calling a function with a path to a malicious library while connected to the device -- resulting in authentication bypass, RCE, DoS, or data manipulation.

The Rockwell Automation bug (CVE-2024-10386, CVSS 9.8), meanwhile, stems from a missing authentication check; a cyberattacker with network access could exploit it by sending crafted messages to a device, potentially resulting in database manipulation.

The critical vulnerabilities are two out of several issues affecting Mitsubishi's and Rockwell Automation's smart-factory portfolios, all listed in CISA's Halloween disclosure. Both industrial control systems (ICS) suppliers have issued mitigations for manufacturers to follow in order to avoid future compromise.

Manufacturers should apply patches and mitigations as soon as possible, given that smart factories are among the most-targeted ICS sectors. The news also comes as nation-state attacks on US critical infrastructure have ramped up, with CISA warning that both Russian and Chinese advanced persistent threats (APTs) show no signs of letting up their assaults on utilities, telecoms, and other high-value targets. Canada as well recently warned of sustained cyber assaults from China on its critical infrastructure footprint.

Related:IT Security Centralization Makes the Use of Industrial Spies More Profitable