NCERT Warns of Critical mySCADA myPRO Vulnerabilities in Industrial Systems

ISLAMABAD: The National Computer Emergency Response Team (NCERT) has raised an alarm over mySCADA myPRO vulnerabilities, which could expose critical industrial infrastructure to cyber threats. These security flaws, identified as CVE-2025-20014 and CVE-2025-20061, allow attackers to remotely execute arbitrary commands, potentially leading to unauthorized system access, data breaches, and operational disruptions.

Due to their severity, both vulnerabilities have been assigned a 9.3 rating on the CVSS v4 scale, indicating a significant risk to industrial control system security. National CERT has emphasized that outdated versions—mySCADA PRO Manager v1.2 and earlier and mySCADA PRO Runtime v9.2.0 and earlier—are particularly vulnerable, especially if connected to public networks.

The SCADA security vulnerabilities stem from improper input validation, allowing attackers to inject malicious commands through specially crafted POST requests. If exploited, these flaws could lead to remote code execution (RCE), unauthorized administrative access, and severe industrial disruptions.

NCERT’s Security Recommendations Against mySCADA myPRO Vulnerabilities

To mitigate these risks, National CERT advises organizations to:

• Upgrade to mySCADA PRO Manager v1.3 and mySCADA PRO Runtime v9.2.1 to patch these security flaws.

• Implement strict network segmentation to isolate SCADA systems from public exposure.

• Enforce Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) to restrict administrative access.

• Monitor network activity for suspicious POST requests and unauthorized login attempts.

• Harden security settings by disabling unnecessary services and applying application whitelisting to prevent unauthorized software execution.