All news with #critical infrastructure tag

🛡️ Dutch authorities arrested two co-owners of related hosting companies and seized over 800 servers on May 18, alleging they operated infrastructure used by Russia for cyberattacks and influence operations targeting the EU. The arrests follow investigative reporting that linked MIRhosting and WorkTitans to Stark Industries, an ISP sanctioned by the EU for facilitating DDoS, proxy, and anonymity services tied to Russia-backed actors. Officials searched businesses and data centers and charged the suspects with violating sanctions law by making economic resources available to sanctioned entities. Both suspects deny wrongdoing and one company says it has paused services to the implicated client pending internal review.

🔎 Financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company accused of enabling cyberattacks, interference operations, and disinformation campaigns. Authorities say the suspects provided resources indirectly to Russian and Belarusian entities sanctioned by the EU, and that infrastructure was moved to a front company after sanctions. Raids recovered servers, laptops, phones, and records across multiple Dutch data centers.

🔒 A critical vulnerability in the on-premises Cisco Secure Workload platform can let a remote, unauthenticated attacker gain site admin privileges by sending a crafted HTTP request to an internal REST API. Cisco assigned CVE-2026-20223 a CVSS score of 10.0 and says the issue stems from insufficient validation and authentication of REST API access. Only on-prem deployments must act immediately by upgrading to the patched versions; SaaS has already been fixed. Cisco reported no known exploitation in the wild at the time of disclosure.

🔎 Symantec and Carbon Black confirm the Lua-based fast16 malware was a pre-Stuxnet sabotage tool designed to corrupt nuclear weapons testing simulations. The threat specifically targets high-explosive runs in LS-DYNA and AUTODYN, activating only when simulated material density reaches ~30 g/cm³. With 101 hook rules organized into 9–10 groups, the framework tracked software versions and spread laterally while avoiding some security products, indicating a methodical, long-running operation.

⚠️ A critical OS command injection in the Dashboard Server of Universal Robots Polyscope 5 (CVSS 9.8) allows unauthenticated attackers to execute commands on the robot's operating system. Affected releases are versions prior to 5.25.1; the vendor has issued Polyscope 5 v5.25.1 as a corrective update. CISA advises immediate patching and network defenses including segmentation, firewalling, and limiting internet exposure.

⚠ The Siemens Ruggedcom Rox product contains an improper access control vulnerability in its web server JSON‑RPC interface that can allow an authenticated remote attacker to read arbitrary files on the underlying operating system with root privileges. Siemens has released updates and advises customers to upgrade to V2.17.1 or later. The issue is tracked as CWE-88 and CISA has republished the vendor advisory to increase visibility. Administrators should restrict network access and follow Siemens' operational security guidance.

⚠ An input validation vulnerability in the feature key installation process of Siemens Ruggedcom Rox allows an authenticated remote attacker to inject OS commands and achieve arbitrary code execution with root privileges. Siemens has released updates and advises customers to upgrade affected devices to V2.17.1 or later without delay. CISA and Siemens recommend isolating control networks, restricting access, and following Siemens' operational guidelines to reduce exposure.

⚠️An input validation vulnerability in the Scheduler feature of Siemens Ruggedcom Rox devices allows an authenticated remote attacker to inject OS commands via the device's Web UI. Successful exploitation can execute arbitrary commands with root privileges on the underlying operating system. Siemens has released updates and recommends upgrading to V2.17.1 or later; CISA urges operators to apply the patch and implement network protections such as firewalls, isolation, and secure remote access.

🔒 Siemens reports that SIMATIC HMI Unified Comfort Panels before V21.0 are vulnerable to an unauthenticated access issue that exposes the embedded web browser via the Control Panel help link when access protections are not applied. The flaw is attributed to insecure default initialization (CWE-1188) and carries a vendor CVSS v3 score of 7.7. Siemens recommends updating affected panels to V21 or later, disabling the taskbar, and following operational security guidance to enable Control Panel access protection and change runtime autostart settings.

⚠ Siemens SIMATIC S7 PLC web servers contain multiple cross-site scripting (XSS) vulnerabilities in their web interfaces that could allow an authenticated user with rights to download TIA projects to inject malicious scripts. Affected pages include the Communication parameters, Motion Control Diagnostics, and Firmware Update pages, where names or filenames are not properly sanitized. Siemens has published updates for several affected firmware lines—update to V2.9.9 or V3.1.6 or later where available—and is preparing further fixes. CISA republished the advisory and recommends restricting project downloads and firmware update rights, isolating devices, and applying vendor updates or compensating controls.

⚠️ A null pointer dereference vulnerability has been identified in multiple Siemens networking and industrial routers and gateways when processing specially crafted IPv4 requests. Exploitation can cause a denial-of-service condition that forces affected devices to stop responding and disrupts networked control functions. Recovery requires a manual restart of the device. Affected product families include SCALANCE, SIMATIC, RUGGEDCOM and IE/PB link variants, spanning many router, switch, and gateway models.

🚨 Siemens reports that Ruggedcom Rox devices prior to V2.17.1 contain numerous third‑party vulnerabilities and has released updated firmware; customers are urged to update immediately. The issues include uncontrolled recursion, integer underflow/overflow, multiple stack- and heap-based buffer overflows, use‑after‑free, improper input validation and path traversal, among others. Affected components include Das U‑Boot, QEMU emulation modules, Python email parsing, linux‑pam and other supporting libraries. Apply the vendor updates to mitigate risks such as denial of service, boot bypass or potential code execution.

⚠️ The Siemens SIPROTEC 5 series employs insufficiently random values for session identifiers on a subset of web endpoints, enabling an unauthenticated remote actor to brute-force and hijack valid sessions. Exploitation can permit limited read access to web server information without authorization. Siemens is preparing fixes and recommends updating to V11.0 or later where available, validating updates, and applying network protections such as segmentation, firewalls, and controlled remote access procedures.

🔔 Siemens disclosed multiple vulnerabilities in Teamcenter that could affect availability, integrity, and confidentiality of affected installations. The vendor published patches across several builds and recommends administrators update to the indicated fixed versions (examples include V2312.0009, V2406.0006, V2412.0009, V2506.0005 and later). Identified issues include improper error checking (CWE-754), cross-site scripting (CWE-79), and hard‑coded credentials (CWE-798). CISA and Siemens advise minimizing network exposure, isolating control systems, applying vendor updates promptly, and following Siemens' industrial security guidance.

🔒 The web server in Siemens SENTRON 7KT PAC1261 Data Manager (versions before V2.1.0) contains a request smuggling vulnerability in the Go net/http package that can expose authorization tokens and permit administrative takeover. Siemens has released V2.1.0 to remediate the issue and recommends immediate updating. Mitigations include using encrypted protocols, restricting network exposure, and following vendor operational security guidance.

🔒 Siemens reports that Opcenter RDnL is affected by a Missing Authentication for Critical Function in Apache ActiveMQ Artemis. An unauthenticated actor on an adjacent network can force a broker to open an outbound Core federation to an attacker-controlled broker, risking message injection and availability impacts. Siemens and Apache recommend updating to Apache Artemis 2.52.0 or later and applying mitigations such as Core interceptors, disabling Core on exposed acceptors, and enforcing two-way SSL.

🔒 Fortinet released Patch Tuesday updates addressing two critical remote code execution vulnerabilities: FortiAuthenticator (CVE-2026-44277) and FortiSandbox (CVE-2026-26083), both rated 9.1. The flaws permit unauthenticated attackers to execute arbitrary commands; Fortinet advises upgrading FortiAuthenticator to 6.5.7/6.6.9/8.0.3 and FortiSandbox to 4.4.9 or 5.0.2. Both issues were found internally and have not yet been observed exploited in the wild, but Fortinet RCEs have been weaponized previously. Administrators should prioritize immediate patching and monitor credentials and logs.

🔒 CISA has launched CI Fortify, urging water, energy, transportation and communications operators to plan to disconnect from third-party networks and maintain essential services if targeted by cyber-attacks. The guidance sets two core objectives: isolation — proactively segmenting OT from business and upstream networks to keep services running in degraded communications — and recovery — documenting systems, backing up critical files and rehearsing component replacement or manual operation. Operators are advised to identify critical customers, set service targets, update continuity plans for prolonged isolation, and share the guidance with vendors, integrators and managed service providers.

🔴 A 23-year-old university student in Taiwan was arrested after allegedly interfering with the country's TETRA-based communications for the Taiwan High Speed Rail (THSR). Authorities say he used SDR equipment and handheld radios to transmit a high-priority 'General Alarm' on April 5, forcing emergency brakes and halting four trains for 48 minutes. Investigators found decoded radio parameters and an accomplice who supplied critical THSR settings. Equipment including 11 radios, an SDR and a laptop were seized; the suspect faces criminal charges and was released on NT$100,000 bail.

🔒 CISA has launched the CI Fortify initiative to help critical infrastructure operators prepare to operate in isolation from the internet and third-party services during major cyber incidents. The program focuses on controlled isolation—distinct from traditional air-gapping—combined with local manual operations and rapid restoration. CISA will provide targeted assessments, guidance, and exercises during a pilot phase while urging operators to map dependencies and invest in resilient architectures.