All news with #ot security tag

🛡️ An Out‑of‑Bounds Write vulnerability in the DOPSoft DPAX parser of CNCSoft‑G2 (CVE‑2026‑3094) can lead to remote code execution on affected devices. The flaw affects versions prior to V2.1.0.39 and has a CVSS v3.1 score of 7.8 (High). Although exploitation requires local access and is not remotely exploitable, Delta recommends updating to V2.1.0.39 to remediate the issue and CISA advises reducing network exposure and following ICS security best practices.

⚠️ Dragos reports that multiple state-affiliated threat groups have shifted from long-term access to actively mapping and preparing disruptive attacks against industrial control systems. Adversaries tracked as Voltzite, Kamacite, Electrum, and others have been observed harvesting engineering workstation files, scanning device types to map control loops, and staging wiper and firmware-corruption capabilities. The access-broker model — exemplified by Sylvanite handing footholds to operational teams — shortens the timeline from intrusion to operational readiness. With under 10% of OT environments monitored, many sites lack the visibility needed to detect or respond to these preparations.

🔒 Hitachi Energy disclosed multiple vulnerabilities in the RTU500 series CMU firmware that may reveal limited user-management data or cause device outages. The issues span improper permission handling, input validation gaps, uncontrolled recursion, and unbounded memory allocation, with CVSS scores up to 7.5. Vendor fixes are available — update to CMU Firmware 12.7.8, 13.7.8 (or later), or 13.8.2 as applicable — and apply recommended network mitigations until devices are patched.

⚠ The Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP and FX5-EIP modules contain multiple denial-of-service vulnerabilities that can be triggered by continuous UDP packet streams. The issues have a CVSS 3.1 base score of 7.5 and include an always-incorrect control flow flaw and improper resource shutdown conditions. Mitsubishi released an update for FX5-ENET/IP (v1.107 or later); fixes for FX5-EIP are planned and mitigations are recommended where no fix is available.

⚠ Operation Epic Fury — the US administration's sustained kinetic pressure on core Iranian regime assets — creates an immediate layer of operational risk for multinationals with people, infrastructure, or supply dependencies in the Middle East and beyond. Briefings from Washington offer situational context but do not capture the operational exposure that surfaces as hostilities begin. CISOs, CSOs, and chief risk officers must validate assumptions, set evacuation and wellness protocols, and apply travel thresholds. Cyber posture should be hardened with accelerated patching, edge device controls, and OT segmentation to reduce attack surface.

🔒 Yokogawa has issued patches for multiple Vnet/IP vulnerabilities affecting CENTUM VP R6 and R7 interface packages that could allow denial-of-service or, in one case, arbitrary code execution. Affected packages (VP6C3300 and VP7C3300) at or below R1.07.00 are vulnerable; the flaws are tracked as CVE-2025-1924 and CVE-2025-48019 through CVE-2025-48023. CISA reports CVSS scores up to 6.9 (MEDIUM) and recommends applying vendor patch R1.08.00 and following advisory YSAR-26-0002 for implementation guidance.

🔒 CISA reports an authentication bypass vulnerability (CVE-2026-1241) affecting Pelco Sarix Professional 3 Series IP cameras running firmware <=02.52. Successful exploitation can permit unauthenticated access to live video streams and sensitive device data, creating privacy, operational, and compliance risks across multiple critical infrastructure sectors. Pelco has released firmware 02.53 to address the issue; users should update promptly and follow network hardening guidance such as isolating camera networks, minimizing internet exposure, and placing devices behind firewalls.

⚠️ Copeland has released patches addressing numerous severe vulnerabilities in XWEB and XWEB Pro appliances that may allow authentication bypass, remote code execution, denial-of-service, path traversal, and memory corruption. Affected firmware includes XWEB 300D PRO, 500D PRO, and 500B PRO running version 1.12.1 or earlier. Several issues are rated high or critical, including one pre-authentication vulnerability with a CVSS v3.1 score of 10.0. Administrators should apply vendor updates immediately and minimize device exposure on untrusted networks.

⚠️ Johnson Controls Frick Controls Quantum HD (versions <= 10.22) contains multiple critical vulnerabilities that can allow pre‑authentication remote code execution, code injection, information disclosure, and denial of service. CISA catalogs six CVEs, including four critical code/OS injection issues (CVSS 9.1), a high severity path traversal (CVSS 7.5), and a medium severity plaintext credential issue (CVSS 6.2). The vendor designates versions 10.22–11 as legacy and recommends upgrading to Quantum HD Unity version 12 or higher, applying the vendor hardening guidance, and following network isolation and access best practices.

📡 Fortinet announced Alliance Partnerships with Parsec Technologies and Westermo to deliver ruggedized, rapidly deployable secure connectivity for mobile and fixed cyber-physical systems. The Parsec Emergency Connectivity Kit (ECK) packages preconfigured Fortinet devices with rugged enclosures and high-gain antennas for quick field deployment, available as Bloodhound (mobility) and Pitbull (resilience) models. Westermo integration brings WeOS switches and cellular routers into the Fortinet Security Fabric via IPsec, while FortiAuthenticator and FortiPAM extend identity and privileged access controls for industrial sites.

🔍 Recent joint research from Palo Alto Networks, Siemens and the Idaho National Laboratory shows that most OT-impacting attacks originate in IT and manifest at the IT–OT edge. Analysts found attackers dwell an average of 185 days in precursor phases, producing detectable signals like credential abuse, reconnaissance and protocol misuse. The paper recommends edge-focused telemetry and an OT SOC-driven active defense to detect and disrupt threats before operational impact.

⚠️ CISA reports two critical remote code execution vulnerabilities in InSAT MasterSCADA BUK-TS (all versions). CVE-2026-21410 enables SQL injection via the main web interface, and CVE-2026-22553 allows OS command injection through the MMadmServ interface. Both CVEs have CVSS v3.1 base scores of 9.8. CISA recommends minimizing network exposure, isolating control systems behind firewalls, using secure remote access, and contacting the vendor for guidance.

🔒 Forescout's new report finds that 2025 saw a record 508 ICS advisories covering 2,155 CVEs and a notable rise in vulnerability severity. The average CVSS for advisories rose to above 8.0 in 2024–2025, with the most affected assets including Purdue Level 1 field controllers, Level 3 operational systems and control-level devices. The vendor warns that reduced CISA advisory coverage and many untracked vulnerabilities increase OT/ICS risk and calls for greater vendor accountability and industry collaboration.

🔒A pair of vulnerabilities in EnOcean SmartServer IoT firmware (<=4.60.009) can be exploited via crafted LON IP-852 management messages to execute arbitrary OS commands or trigger memory corruption. CVE-2026-20761 (command injection) carries a CVSS 3.1 score of 8.1 and permits remote command execution; CVE-2026-22885 is an out-of-bounds read (CVSS 3.1 score 3.7) that can leak memory. EnOcean advises updating to SmartServer 4.6 Update 2 (v4.60.023) or later, and CISA recommends isolating devices, avoiding internet exposure, using secure remote access, and monitoring for suspicious activity.

🛡️ The Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller contains an authentication vulnerability tracked as CVE-2026-24790 that permits remote influence of the underlying PLC without proper safeguards. Successful exploitation could cause over- or under-odorization events, impacting safety and process control. CISA rates this issue High (CVSS 3.1 8.2) and recommends contacting Welker, minimizing network exposure, isolating control networks, and using secure remote-access methods such as updated VPNs.

🛡️ An unauthenticated attacker can exploit a path traversal vulnerability in Valmet DNA Engineering Web Tools (CVE-2025-15577) by manipulating the web maintenance services URL to obtain arbitrary file read access. The issue is an instance of Improper Limitation of a Pathname to a Restricted Directory (CWE-22) and is rated CVSS 3.1 8.6 (High). Valmet has released a fix and recommends customers contact their automation customer service for remediation assistance. CISA advises reducing internet exposure for control system devices, isolating networks behind firewalls, and applying defense-in-depth controls.

🔍 This post details emulation-based analysis of the Socomec DIRIS M-70 gateway, where JTAG flash readout protection prevented full hardware debugging. The researcher emulated the Modbus processing thread with Unicorn, integrated AFL for coverage-guided fuzzing across hundreds of message types, and later adopted Qiling for built-in coverage and debugging. The effort uncovered multiple denial-of-service vulnerabilities and six CVEs, showing that a 'good enough' single-thread emulation approach can produce high-impact results.

🔐 Researchers at Dragos warn of a marked increase in ransomware groups targeting industrial organizations in 2025, tracking 119 distinct groups — a 49% rise from 2024. The firm reports 3,300 industrial victims last year, with manufacturing and transportation most affected, followed by oil & gas, electricity and communications. Dragos attributes many compromises to abuse of legitimate credentials via VPNs, vendor tunnels and infostealers, and highlights an average OT dwell time of 42 days. The report also names three new threat groups: Sylvanite, Azurite and Pyroxene.

⚠ A stack-based buffer overflow has been identified in Delta Electronics ASDA-Soft when parsing .par files, allowing an attacker to write data past a stack buffer and corrupt a structured exception handler (SEH). The issue affects versions <= 7.2.0.0 (CVE-2026-1361) and is assigned a CVSS v3.1 base score of 7.8 (High). Delta released fixed ASDA-Soft version 7.2.2.0 and published advisory Delta-PCSA-2026-00003; CISA reports no known public exploitation and notes the vulnerability is not remotely exploitable.

⚠️ Siemens has published updates for Simcenter Femap and Simcenter Nastran addressing multiple file‑parsing vulnerabilities in NDB and XDB formats. If a user opens a specially crafted malicious file, affected versions may crash or allow an attacker to achieve arbitrary code execution. Siemens rates the issues as high severity and recommends updating to V2512 or later and avoiding untrusted NDB/XDB files.