All news with #ics security tag

🎥 ESET Chief Security Evangelist Tony Anscombe reviews major cybersecurity stories from May 2026, focusing on industrial control system intrusions, an AI-directed data theft, a Google-reported AI-developed zero-day, and crypto kiosk scams. He outlines attack vectors such as weak passwords and internet-exposed systems, notes the partial failure of an IT-to-OT escalation, and previews mitigation advice for defenders. Watch Tony’s video for practical recommendations and refer to the April edition for additional context.

📣 A stored Cross-Site Scripting (XSS) vulnerability affects certain CP Plus 8-channel NVR 1xxx series devices due to insufficient input sanitization. Successful exploitation can execute malicious scripts in the browsers of authenticated users and administrators, risking session hijacking, unauthorized actions, and data exposure. CP Plus recommends updating device firmware to the listed version and contacting support for upgrade assistance. CISA also advises network isolation, limiting internet exposure, and following established ICS defensive practices.

🔒 ABB has identified an authentication bypass in specific Busch‑Welcome 2 Wire Door Opener Actuator versions due to active debug code and a compatibility mode enabled by default. Exploitation could allow unauthorized physical access to buildings where the device is installed. ABB provides an on‑site mitigation: toggle the product mode from "Door‑Open" to "Light" and back, then perform a mains power restart to force recalibration. CISA republishes the vendor advisory and recommends network isolation, minimized exposure, and use of secure remote access methods such as updated VPNs while encouraging organizations to follow ICS security best practices.

🛡️ The advisory details a buffer over-read vulnerability in ABB AC500 V2 devices that can cause Modbus server responses to include fragments of earlier telegrams. Affected devices running older firmware may return invalid or appended data when presented with unsupported Modbus function codes. ABB issued a fix in AC500 V2 firmware version 2.5.3 (2016) and later; operators are urged to update and minimize network exposure. CISA republished the vendor advisory to raise visibility and recommends isolating control networks and using secure remote access.

🔒 An Improper Resource Locking vulnerability in the System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network attacker to delete data and cause denial of service. The vendor corrected the issue in Automation Runtime 6.3 and Q4.93 and notes SDM is disabled by default in AR 6. B&R recommends applying updates, restricting SDM access, using TLS/mutual TLS, and limiting webserver access to trusted IPs.

🔒 Schneider Electric has identified a CWE-312 vulnerability in EcoStruxure Machine Expert HVAC, a programming tool for Modicon M171-M172 controllers, that can expose sensitive information including protected source code. Version 1.10.0 includes a vendor-provided fix and users are urged to update. The advisory also reiterates standard ICS security best practices to isolate control networks and limit exposure.

🔍 Since 2024, Talos has tracked a BadIIS variant identified by consistent "demo.pdb" PDB paths across the Asia‑Pacific region and isolated cases elsewhere. The PDB path patterns—including Chinese folder names, Administrator\Desktop build artifacts, and date‑based versioning—provide a reliable fingerprint for clustering and attribution. Talos recovered a 2022 builder that produces configured 32/64‑bit payloads, uses a unique 'lwxat' C2 authentication check and XOR 0x3 obfuscation, and supports modular SEO‑fraud and proxy features. Evidence shows active development from Sept. 2021 through Jan. 2026.

🔒 CISA published an advisory describing a privilege-escalation vulnerability in Fuji Electric Tellus arising from a kernel driver that grants all users read and write permissions. Successful exploitation could elevate a user to system privileges and may enable temporary denial of service, file opening, or file deletion. The vendor recommends installing Tellus only with administrator privileges; CISA notes the issue is not remotely exploitable and no public exploitation has been reported. CISA advises implementing ICS defensive measures and following established reporting procedures.

🔐 CISA and U.S. government partners published Adapting Zero Trust Principles to Operational Technology, a practical guide for OT owners, operators, and Zero Trust practitioners. The guidance explains how to apply Zero Trust in OT environments while minimizing risk to mission-critical systems and accommodating legacy constraints and safety requirements. It highlights establishing zones and conduits, addressing supply chain risks, and implementing robust identity and access management to reduce exposure and strengthen resilience.

⚠️ A vulnerability in NSA GRASSMARLIN allows crafted session data to trigger improper XML parsing that may disclose sensitive information. Tracked as CVE-2026-6807 and classified under CWE-611, the issue affects GRASSMARLIN v3.2.1 and carries a CVSS 3.1 base score of 5.5 (MEDIUM). The GRASSMARLIN project reached end-of-life in 2017 and is archived, so no vendor patches are planned; CISA recommends compensating controls, network isolation, and following published ICS defensive guidance.

🔒 Siemens has disclosed an authorization bypass vulnerability in Industrial Edge Management that may allow an unauthenticated remote attacker to circumvent authentication and access connected devices using the product's remote connection feature. Tracked as CVE-2026-33892, the flaw has a CVSS v3.1 base score of 7.1 (High). Siemens released patched versions and urges operators to update immediately and restrict network access to affected systems.

🔒 The Siemens TPM 2.0 reference implementation contains a vulnerability (CVE-2025-2884) in the CryptHmacSign helper that can perform an out‑of‑bounds read because it does not validate the signature scheme against the signature key algorithm. Successful exploitation could result in information disclosure or denial of service of the TPM. Siemens ProductCERT has published fixes for many affected SIMATIC and IPC models and is preparing additional updates; where fixes are not yet available, CISA and Siemens recommend network isolation and other mitigations.

⚠️ A vulnerability in Siemens SINEC NMS when used with the User Management Component (UMC) allows an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. Tracked as CVE-2026-24032 and scored CVSS v3.1 7.3 (High), the flaw stems from insufficient validation of user identity in the UMC. Siemens released an update; operators should upgrade to V4.0 SP3 or later. Limit network exposure, isolate control networks behind firewalls, and follow Siemens' industrial security guidance when applying fixes.

⚠️ The CISA advisory reports multiple high-severity vulnerabilities in SenseLive X3050 (V1.523) that can allow an attacker on the network to bypass authentication, obtain administrative access, and perform unauthorized firmware operations. Affected issues include hard-coded credentials, missing authentication and authorization, insufficient session handling, cleartext management traffic, CSRF, and unsafe configuration controls that may destabilize device operation. CISA notes no known public exploitation to date; administrators should reduce exposure and contact the vendor.

🔒 Multiple Siemens analytics applications are affected by improper certificate validation in the Siemens Analytics Toolkit, which could allow an unauthenticated remote attacker to conduct man-in-the-middle (MITM) attacks. Affected products include Siemens Software Center, Simcenter 3D, Simcenter Femap, Simcenter STAR-CCM+, Solid Edge, and Tecnomatix Plant Simulation. Siemens has released vendor fixes; CISA and Siemens recommend applying the updates immediately, minimizing network exposure, and following operational security guidance to isolate control system networks and secure remote access.

⚠️ Siemens SCALANCE W-700 series devices with firmware earlier than V6.6.0 are affected by multiple security vulnerabilities. Siemens released firmware V6.6.0 to address these issues and urges operators to update affected units promptly. Temporary mitigations include reducing Wi‑Fi power, restricting physical access, disabling A‑MSDU if available, and minimizing network exposure of control devices. Several flaws could allow remote attackers to execute actions or cause denial of service; some carry high or critical CVSS scores.

⚠️ Siemens reports a vulnerability in RUGGEDCOM CROSSBOW Station Access Controller (SAC) that can lead to memory corruption, denial of service, or possible arbitrary code execution. The issue is tied to a numeric truncation error in older SQLite releases (prior to 3.50.2) and is tracked as CVE-2025-6965. Siemens recommends updating SAC to V5.8 or later and ensuring SQLite is at least version 3.50.2 to mitigate the risk.

⚠ Siemens ProductCERT reports an authorization bypass in SINEC NMS prior to V4.0 SP3 that permits an authenticated attacker to reset the password of any user account. The vulnerability arises from improper validation of authorization when processing password reset requests. Siemens has released V4.0 SP3 to remediate the flaw and CISA republished the vendor advisory. Until systems are updated, organizations should apply network restrictions, isolate control networks, and require secure remote access.

💧 Researchers at Darktrace identified ZionSiphon, a new operational technology malware engineered to sabotage water treatment and desalination environments. The sample includes routines to increase chlorine dosing, force valves open, and raise RO pressure by appending fixed configuration entries, and it propagates via USB as a hidden svchost.exe. A faulty IP verification routine currently prevents activation, but attackers could correct the logic to enable dangerous OT manipulation.

🔒 A joint U.S. federal advisory warns that Iranian state-backed hackers have been targeting Rockwell Automation/Allen‑Bradley PLCs since March 2026, extracting project files and manipulating HMI/SCADA displays. Researcher Censys found 5,219 EtherNet/IP hosts exposed online globally, with 3,891 (74.6%) in the United States and a notable share on cellular carrier ASNs. Agencies urge disconnecting or firewalling PLCs, enforcing MFA, applying updates, disabling unused services, and monitoring OT ports and logs for suspicious overseas traffic.