Critical Remote Manipulation Vulnerability in Contemporary Controls BASC 20T (CVE‑2025‑13926) Threatens Industrial PLC Operations
What It Is – A CVE‑2025‑13926 flaw in Contemporary Controls BASC 20T PLC firmware (version 3.1) allows an unauthenticated attacker to sniff network traffic, forge packets, and issue arbitrary requests to the device. Successful exploitation can enumerate component functions, rename or delete configurations, transfer files, and invoke remote procedure calls.
Exploitability – The vulnerability is publicly disclosed, has a CVSS v3.1 base score of 9.8 (Critical), and proof‑of‑concept packet‑forge tools have been shared in the open‑source community. No known active ransomware or malware campaigns are currently leveraging it, but the attack surface is low‑cost and high‑impact.
Affected Products – Contemporary Controls Sedona Alliance BASC 20T (firmware 3.1). The product is classified as obsolete; many legacy sites still run it in commercial facilities, critical manufacturing, and energy plants worldwide.
TPRM Impact – Because the PLC sits at the heart of process‑control networks, a compromised BASC 20T can lead to unauthorized re‑configuration of production lines, shutdown of critical equipment, or unsafe operational states. Third‑party risk managers must treat any supplier still using this hardware as a high‑severity supply‑chain exposure.
Recommended Actions –
- Inventory all third‑party sites and internal assets for BASC 20T deployments.
- Isolate affected PLCs on a segmented VLAN and enforce strict network‑traffic monitoring.
- Engage Contemporary Controls for migration guidance; replace the obsolete hardware with a supported, securely‑designed controller.
- Apply network‑level mitigations (e.g., MAC filtering, IDS signatures for forged packets) until replacement is complete.
- Update contractual clauses to require vendors to retire unsupported control‑system products within a defined timeframe.
Source: CISA Advisory – ICSA‑26‑099‑01