All news with #ot security tag

🔒Over the past four years organizations have been increasingly challenged by threats that originate in third-party networks, with more than 35% of breaches tied to compromised vendors or partners. International conflict, generative AI and growing supply-chain exposure are accelerating risk and extending impact to Operational Technology (OT) and IoT environments. Leaders should elevate OT risk to the board, adopt immutable 3-2-1-1 backup strategies, and establish an AI Risk Council to enforce governance and pentesting before broad AI adoption.

⚠️ An unauthenticated remote attacker can trigger a hidden CLI function in WAGO industrial managed switches to escape the restricted interface and gain full control of the device. The vulnerability is tracked as CVE-2026-3587 and classified under CWE-912. CISA rates the issue CRITICAL with a CVSS v3.1 base score of 10.0. Operators should install vendor fixed firmware or, as an interim measure, disable SSH and Telnet.

🛡️ Pharos Controls Mosaic Show Controller firmware 2.15.3 contains a Missing Authentication for Critical Function vulnerability (CVE-2026-2417) that can allow an unauthenticated attacker to execute arbitrary commands with root privileges. The flaw has a CVSS v3.1 base score of 9.8 (Critical). Pharos Controls recommends upgrading to version 2.16 or later and isolating controllers from public networks.

🔒 Schneider Electric and ProLeiT disclosed several Redis-related vulnerabilities in Plant iT/Brewmaxx that could permit privilege escalation and, in some cases, remote code execution. The issues stem from embedded Redis 8.2.1 (and earlier) instances and include use-after-free, integer overflow, and code-injection vectors. Schneider and ProLeiT recommend installing patch ProLeiT-2025-001, disabling Redis eval commands, applying secure Redis configuration templates, and restarting patched systems while following recommended ICS cybersecurity practices.

🔒 Schneider Electric has disclosed a deserialization of untrusted data vulnerability (CVE-2026-1286) impacting EcoStruxure Foxboro DCS versions prior to CS 8.1. An authenticated administrative user who opens a malicious project file could compromise confidentiality and integrity and potentially achieve remote code execution on a workstation (CVSS 3.1: 6.5). Schneider released CS 8.1 which requires FX-V3 licenses and a reboot; standard upgrade procedures apply. Until patched, follow mitigations such as restricting files to trusted sources, enforcing least privilege, and isolating DCS networks.

💧Water utilities facing aging operational systems and limited IT staff are improving cybersecurity by sharing information and coordinating responses. A two-year pilot led by the Cyber Readiness Institute and the Center on Cyber and Technology Innovation, sponsored by Microsoft, enrolled about 200 small and mid-sized utilities. The study found that combining cybersecurity training with hands-on technical assistance, stronger sector links and practical support is more effective than distributing guidance alone.

⚠️ Schneider Electric disclosed a CWE-404 Improper Resource Shutdown or Release vulnerability (CVE-2025-13901) affecting Modicon M241, M251, and M262 controllers that can cause a partial denial-of-service of the Machine Expert protocol when an unauthenticated actor sends a crafted payload. The issue is rated CVSS v3.1 5.3 (Medium). Vendor firmware updates (M241/M251: 5.4.13.12; M262: 5.4.10.12) are available. Until updates are applied, isolate controllers, restrict network access, and use encrypted remote connections.

⚠️Schneider Electric has disclosed a vulnerability in EcoStruxure Automation Expert (CVE-2026-2273), a CWE-94 code injection flaw that can execute arbitrary commands on an engineering workstation when an authenticated user opens a malicious project file. The issue affects versions prior to v25.0.1 and carries a CVSS v3.1 base score of 8.2 (High). Schneider fixed the vulnerability in v25.0.1; administrators should apply the vendor update promptly or implement recommended mitigations — including restrictive file permissions, storing project files in user home directories, and verifying file authenticity — to reduce the risk of workstation and broader system compromise.

🔒 CISA warns of a cross-site scripting and open redirect vulnerability (CVE-2025-13902) affecting Schneider Electric Modicon controllers M241, M251, M258, and LMC058. Successful exploitation may enable account takeover or arbitrary JavaScript execution in a user's browser. Schneider provides firmware 5.4.13.12 for M241 and M251 via EcoStruxure Machine Expert v2.5.0.1; M258 and LMC058 currently require mitigations. No known public exploitation has been reported.

⚠️ A vulnerability (CVE-2025-2399) in Mitsubishi Electric CNC Series can be exploited remotely to trigger an out-of-bounds read and cause a denial-of-service by sending specially crafted packets to TCP port 683. A range of M800, M80, M70, E70/E80, C80 and NC Trainer models are affected. Mitsubishi Electric has published fixed firmware builds (BC or later, FN or later depending on model); users should contact their vendor representative to obtain and apply updates. If immediate updates are not possible, the vendor recommends restricting network exposure, firewalling, using VPNs, enabling IP filters where available, and limiting physical and network access.

🔒 CISA warns of multiple high‑severity vulnerabilities in Automated Logic WebCTRL servers that could allow attackers to read, intercept, or modify BACnet communications. Known affected releases include versions earlier than v8.5, and WebCTRL 7 is end‑of‑life and unsupported. The advisory describes three CVEs — CVE-2026-25086 (port binding impersonation), CVE-2026-32666 (BACnet packet spoofing), and CVE-2026-24060 (cleartext transmission, CVSS 9.1) — and urges operators to upgrade to supported releases with BACnet/SC, implement TLS/mutual authentication where available, and apply network segmentation, access controls, and vendor secure configuration best practices to reduce exposure.

🔒 CrowdStrike Falcon Platform for Government now includes Falcon for XIoT, delivering FedRAMP High–authorized visibility and protection for connected and operational technology assets. The solution provides native, zero‑touch XIoT asset discovery with deep protocol support and ICS vendor validation to preserve operational continuity across critical infrastructure. It also leverages AI-powered risk prioritization to surface and rank high‑risk conditions across converged IT/OT environments.

🔒 Fortinet has been named a Challenger in the 2026 Gartner Magic Quadrant for Cyber-Physical Systems (CPS) Protection Platforms. The recognition underscores the capabilities of the Fortinet OT Security Platform to secure converged IT/OT environments through deep OT visibility, protocol-aware segmentation, and integrated networking and security. Fortinet emphasizes unified management, ruggedized firewalls, secure SD-WAN, ZTNA, NAC, and AI-driven operations to reduce risk while preserving uptime and safety in industrial settings.

🔒 Fortinet was named a Challenger in the 2026 Gartner Magic Quadrant for Cyber-Physical Systems Protection Platforms, highlighting recognition of the Fortinet OT Security Platform. The vendor positions its solution as a unified approach that delivers OT-aware controls—automated discovery, protocol visibility, segmentation, and ruggedized firewalls—while avoiding disruption to uptime and safety. Fortinet emphasizes integrated networking and security to reduce complexity and accelerate detection and response across converged IT/OT environments.

⚠️ Siemens has issued updates for Heliox EV chargers after identifying an improper access control vulnerability that could allow an attacker to reach unauthorized services via the charging cable. Affected models include the Heliox Flex 180 kW and Heliox Mobile DC 40 kW stations. Siemens recommends applying the provided over-the-air (OTA) updates and contacting customer support for patch rollout details. CVE-2025-27769 is rated CVSS v3.1 2.6 (Low) and categorized as CWE-923.

⚠️ CISA published an advisory for Trane Tracer SC, Tracer SC+, and Tracer Concierge reporting five vulnerabilities that could lead to information disclosure, arbitrary command execution, or denial-of-service. The issues (CVE-2026-28252 through CVE-2026-28256) include broken cryptography, excessive memory allocation, missing authorization, and hard-coded credentials/constants. Affected builds include Tracer SC < v4.4_SP7 and Tracer SC+/Concierge < v6.3.2310; Trane released Tracer SC+ v6.30.2313 to address these flaws. CISA advises isolating control networks, restricting remote access, applying vendor updates, and following ICS defensive best practices.

⚠️ Zero trust principles deliver measurable gains in enterprise IT, but they often miss dominant failure modes in IoT and OT. The author argues that zero trust assumes explicit, identity-centric and continuously enforceable trust, while IoT/OT systems rely on implicit, durable trust relationships and centralized control paths. Adopt the unified linkage model (ULM) to map adjacency, inheritance and trust propagation, and prioritize protection of management planes, firmware update paths and vendor integrations.

⚠️ Lantronix EDS3000PS and EDS5000 devices contain multiple critical vulnerabilities, including OS command injection and authentication bypass, some exploitable without authentication, that can result in root-level code execution. Affected firmware versions include EDS3000PS 3.1.0.0R2 and EDS5000 2.1.0.0R3, with several CVEs rated CVSS 9.8. Lantronix has published firmware updates to 3.2.0.0R2 and 2.2.0.0R1. Operators should apply updates, restrict network exposure, and follow CISA mitigation guidance.

⚠️CISA warns that Honeywell IQ4x Building Management System controllers expose a factory-default web HMI without authentication (tracked as CVE-2026-3611). An unauthenticated actor able to reach the HTTP interface can create administrative accounts via the U.htm function, gain full read/write control, and potentially lock out legitimate operators. Honeywell has not issued a patch; apply network mitigations immediately.

⚠️ Legacy operational technology in critical plants — often running unsupported systems like Windows XP and using insecure protocols — represents a persistent and escalating cyber risk. The author, an experienced OT security practitioner, identifies three main blockers: the taboo of planned downtime, cultural and language gaps between IT and OT teams, and diffused budget and accountability. He documents a typical attack chain that begins in IT, moves laterally through poorly segmented networks, and exploits unmonitored legacy controllers, and recommends a pragmatic, phased response: risk-based inventory, IEC 62443-aligned segmentation, OT-aware monitoring, compensating controls and stepwise modernization to reduce exposure without halting production.