Cybersecurity researchers have revealed details about two critical vulnerabilities affecting mySCADA myPRO, a Supervisory Control and Data Acquisition (SCADA) system utilized in operational technology (OT) environments, which could potentially enable malicious actors to gain control of vulnerable systems.
“If exploited, these vulnerabilities could provide unauthorized access to industrial control networks, potentially resulting in significant operational disruptions and financial consequences,” stated Swiss security firm PRODAFT in a report.
The identified vulnerabilities, both rated 9.3 on the CVSS v4 scoring system, are as follows:
- CVE-2025-20014 – A flaw allowing operating system command injection through specially crafted POST requests with a version parameter
- CVE-2025-20061 – A vulnerability facilitating operating system command injection via specially crafted POST requests with an email parameter
Exploiting either of these flaws could enable an attacker to inject system commands and execute arbitrary code. The issues have been remediated in the following versions:
- mySCADA PRO Manager 1.3
- mySCADA PRO Runtime 9.2.1
According to PRODAFT, both vulnerabilities result from a lack of properly sanitizing user inputs, leaving the door open to command injection attacks.
“These vulnerabilities underscore the ongoing security risks in SCADA systems and the necessity for robust defenses,” the company emphasized. “Exploitation could result in operational disruptions, financial losses, and safety hazards.”
Organizations are advised to apply the latest patches, implement network segmentation by isolating SCADA systems from IT networks, enforce strong authentication mechanisms, and monitor for suspicious activities.
