Blog HackRTU

‹ Regresar

MULTIPLE CVE IN THE ZEUSWEB INDUSTRIAL SCADA OF MICROCOM

 

ADVISORY HRTU#0001

 

 

The HackRTU CNA has coordinated 4 new vulnerabilities (HRTU#0001), all from medium severity, in the ZeusWeb industrial SCADA solution of MICROCOM. These vulnerabilities have been discovered by Aarón Flecha Menéndez and Víctor Bello Cuevas.

 

DETAILS OF THE AFFECTED SOLUTION:

• Provider: Microcom
• Specific model: ZeusWeb
• Affected firmware version: 6.1.31

 

SPECIFIC INFORMATION OF THE 0-DAY VULNERABILITIES:

The vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, CWE and CAPEC vulnerability type for each vulnerability:

• CVE-2025-13648: STORED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB
  • CVSS v4.0: 6,9 (Medium)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
  • CAPEC-63 Cross-Site Scripting (XSS)
    • CAPEC-592 Stored XSS
  • CPE 2.3 Applicability:
    • cpe:2.3:a:microcom:zeusweb:6.1.31:*:*:*:*:*:*:* 
• CVE-2025-13649: REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB
  • CVSS v4.0: 5,1 (Medium)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
  • CAPEC-63 Cross-Site Scripting (XSS)
    • CAPEC-591 Reflected XSS
  • CPE 2.3 Applicability:
    • cpe:2.3:a:microcom:zeusweb:6.1.31:*:*:*:*:*:*:* 
• CVE-2025-13650: REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB
  • CVSS v4.0: 5,1 (Medium)
  • CVSS:4.0/AV:N/AC:/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
  • CAPEC-63 Cross-Site Scripting (XSS)
    • CAPEC-591 Reflected XSS
  • CPE 2.3 Applicability:
    • cpe:2.3:a:microcom:zeusweb:6.1.31:*:*:*:*:*:*:* 
• CVE-2025-13651: LEAK OF SENSITIVE INFORMATION ON MICROCOM'S ZEUSWEB
  • CVSS v4.0: 6,9 (Medium)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
  • CAPEC-224 Fingerprinting
    • CAPEC-541 Application Fingerprinting
      • CAPEC-170 Web Application Fingerprinting
  • CPE 2.3 Applicability:
    • cpe:2.3:a:microcom:zeusweb:6.1.31:*:*:*:*:*:*:* 

 

More information of each vulnerability has been published in CVE List web of the CNA.

 

SOLUTIONS, MITIGATIONS AND INFORMATION:

The provider Microcom has implemented the new version 6.2.5 which solves the security problems detected in the previous version. The end user does not need to perform any update actions, as the software is cloud-based and managed by the provider, who has implemented the new version for all users.

 

REFERENCES:

Specific links related to the notice:

• https://www.hackrtu.com/cna/
• https://www.hackrtu.com/cna/cve-list/
• https://www.microcom360.com/servicio-zeus-web/
• https://zeus.microcom.es:4040/

 

 

HACKRTU TEAM