A critical vulnerability has been identified in multiple INVT industrial products, specifically within the HMITool software. An attacker can exploit this flaw by sending a specially crafted file, which could allow them to execute arbitrary code and gain full control of the affected system, potentially leading to disruption of industrial operations and unauthorized access to sensitive environments.

The vulnerability is an out-of-bounds write that occurs when the INVT HMITool software processes a malformed VPM project file. An attacker can create a malicious VPM file that, when opened by the software, writes data outside of the intended memory buffer. This memory corruption can be leveraged by the attacker to overwrite critical program data, leading to the execution of arbitrary code with the privileges of the HMITool application. Exploitation requires an attacker to convince a user to open the malicious VPM file on a vulnerable system.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could have a significant business impact, particularly as INVT products are often deployed in Operational Technology (OT) and Industrial Control System (ICS) environments. An attacker gaining remote code execution could disrupt or halt industrial processes, manipulate HMI displays to mislead operators, cause physical equipment damage, or create safety hazards. Furthermore, a compromised system could be used as a pivot point to launch further attacks against the internal OT network, potentially leading to widespread operational failure or theft of sensitive intellectual property.

Immediate Action: Organizations must prioritize patching vulnerable systems according to the vendor's advisory. All internet-facing systems running the affected INVT software should be patched immediately to prevent remote exploitation. For systems that cannot be patched right away, consider removing them from the internet until a patch can be applied.

Proactive Monitoring: Enhance monitoring and logging on systems where INVT HMITool is installed. Security teams should look for suspicious activity such as the unexpected transfer or opening of VPM files from untrusted sources, anomalous process creation originating from the HMITool application, and unusual outbound network traffic from affected hosts. Implement and monitor intrusion detection system (IDS) signatures specific to CVE-2025-7225 as they become available.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Use network segmentation to isolate HMI systems from corporate IT networks and the internet.
• Implement strict access controls and file transfer policies to prevent malicious VPM files from reaching vulnerable systems.
• Employ application whitelisting to prevent the execution of unauthorized code on HMI workstations.
• Ensure antivirus and endpoint detection and response (EDR) solutions are up-to-date.

Public Exploit Available: false

Given the high severity score (CVSS 7.8) and the critical role of HMI systems in industrial environments, we strongly recommend that organizations treat this vulnerability with urgency. The primary course of action is to apply the security patches provided by INVT immediately, prioritizing internet-exposed systems and critical operational assets. While there is no current evidence of active exploitation, the potential for significant operational disruption and system compromise warrants immediate remediation and the implementation of compensating controls where patching is delayed.