Two severe security vulnerabilities have been discovered in mySCADA myPRO, a widely-used industrial control system, that could enable attackers to seize control of critical operational technology environments.
The flaws, identified by cybersecurity firm PRODAFT, received a critical severity rating of 9.3 out of 10 on the Common Vulnerability Scoring System (CVSS). Both vulnerabilities stem from inadequate input validation that leaves systems open to command injection attacks.
The first vulnerability (CVE-2025-20014) allows attackers to execute malicious commands through specially crafted POST requests containing a version parameter. Similarly, the second flaw (CVE-2025-20061) enables command execution via POST requests with a manipulated email parameter.
If exploited, these security gaps could give unauthorized actors complete control over affected industrial systems, potentially causing operational disruptions, financial damage, and safety risks in manufacturing facilities, power plants, and other critical infrastructure.
The vendor has released patches to address these vulnerabilities in mySCADA PRO Manager version 1.3 and mySCADA PRO Runtime version 9.2.1.
Security experts recommend that organizations take immediate action by:
- Installing the latest security updates
- Implementing network segmentation between SCADA and IT systems
- Strengthening authentication mechanisms
- Actively monitoring systems for suspicious activities
This discovery underscores ongoing security challenges in industrial control systems that manage critical infrastructure and manufacturing processes.