[Update notice] HMI GC-A2 series

Mar. 24, 2025

1.Overview

Multiple vulnerabilities were found in HMI GC-A2 series. We will inform you of the contents and how to deal with them.
Please confirm the contents and apply the follow solution.

2.Products Affected

The following products are affected by the vulnerability.

Products Firmware Version
GC-A22W-CW All Versions
GC-A24W-C(W) All Versions
GC-A26W-C(W) All Versions
GC-A24 All Versions
GC-A24-M All Versions
GC-A25 All Versions
GC-A26 All Versions
GC-A26-J2 All Versions
GC-A27-C All Versions
GC-A28-C All Versions

3.Description

HMI GC-A2 series contain multiple vulnerabilities listed below.

3-1.Unintended Proxy or Intermediary (‘Confused Deputy’) (CWE-441)

CVSS v3 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N Base score: 5.8
CVE-2025-25061

3-2.Denial-of-service (DoS) vulnerability in Modbus TCP Slave service (CWE-770)

CVSS v3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base score: 5.3
CVE-2025-24317

4.Impact

A remote attacker may be able to cause a denial of service (DoS) condition by sending specially crafted packets to specific ports. A denial of service (DoS) may cause the service to stop. Restarting the HMI is required to recover from a stopped service.
It could be used in an FTP bounce attack that uses the HMI as a relay point to attack another host.

5.Mitigations and Protections

When connecting the HMI to the Internet, use a firewall or virtual private network (VPN) to prevent unauthorized access.
Reduce the risk of attack by making it accessible only within internal network.