Fastwel Patches Critical PLC Vulnerabilities That Allowed Code Execution

Russian industrial equipment manufacturer Fastwel has released security updates for two programmable logic controller (PLC) models, addressing nine serious vulnerabilities that could allow attackers to execute arbitrary code and take complete control of the devices.

The vulnerabilities affect Fastwel's CPM723-01 and CPM810-03 controllers, which are widely deployed across Russia's critical infrastructure sectors. According to the Russian industrial product registry, these PLCs operate in oil and gas facilities, railway systems, electric power grids, shipbuilding, metallurgy, mining operations, and utilities.

High-Severity Flaws Discovered

Positive Technologies researchers discovered the nine vulnerabilities, rated between 8.3 and 9.4 on the CVSS 4.0 scale—scores that indicate high to critical severity. The flaws received identifiers PT-2025-40257 through PT-2025-40265 (BDU:2025-11164–BDU:2025-11172 in Russia's vulnerability database).

The most dangerous issues (PT-2025-40257 through PT-2025-40260) enabled arbitrary code execution within the controller's operating system. In practical terms, an attacker exploiting these vulnerabilities could run any commands they wanted on the PLC, potentially causing equipment failures, production shutdowns, or safety incidents in the industrial processes these controllers manage.

Chain of Compromise

The remaining five vulnerabilities (PT-2025-40261 through PT-2025-40265) served as entry points for attackers to establish a foothold on the devices. Exploiting these flaws, an attacker could:

• Gain administrator privileges for the web configurator
• Access other controller services
• Steal user credentials
• Modify PLC configurations
• Seize full control of the device

Prior to patching, both insider threats and external attackers with network access to the equipment could exploit these vulnerabilities. This means the attack surface included not only internet-facing systems but also threats from compromised internal networks or malicious insiders.

Protecting Industrial Control Systems

Maxim Gruzin, a specialist from Positive Technologies' ICS expertise group, emphasized that software patches alone aren't sufficient protection for industrial control systems.

"To reduce the likelihood of an attack using such errors and minimize the attack surface, companies should implement network segmentation and restrict access to the Industrial Control System local area network," Gruzin explained. "It is also advisable to disable the controller's web configurator and unused network services, and replace all default passwords with complex ones. It is important to ensure that only employees who genuinely need it have access to the PLCs."

Immediate Action Required

Organizations using the affected PLCs should update immediately:

• CPM723-01: Update to version 3.4.9.5
• CPM810-03: Update to version 3.4.5.1

Per Positive Technologies, exploiting these vulnerabilities could lead to significant failures in controlled technological equipment—failures that in industries like oil and gas or electric power could result in production losses, safety hazards, or service disruptions affecting thousands of people.

The Bigger Picture

This discovery highlights ongoing concerns about PLC security in industrial environments. These devices often run for years without updates, making them attractive targets for attackers seeking to disrupt critical infrastructure. The fact that these vulnerabilities existed in controllers deployed across multiple critical sectors underscores the importance of regular security assessments for industrial control systems.

For companies operating these PLCs, the message is clear: patch now, implement the recommended security controls, and conduct a review of other industrial equipment that may harbor similar vulnerabilities.