All news with #ot security tag

🔎 Dragos attributes a coordinated late-December 2025 cyber attack on multiple Polish power grid sites to the Russian state-sponsored crew ELECTRUM with medium confidence. The campaign targeted communication and control systems at combined heat and power facilities and systems managing distributed energy resources, including wind and solar dispatch. Although no blackouts were reported, attackers gained access to OT networks and disabled some equipment beyond repair. Dragos notes the operation blended IT-to-OT tradecraft, with KAMACITE enabling access and ELECTRUM executing ICS-focused actions.

⚠️ Schneider Electric has issued a fix for a local privilege escalation vulnerability in EcoStruxure Process Expert (CVE-2025-13905) caused by incorrect default permissions. An attacker with local access could modify executable service binaries and gain elevated privileges when services restart. Version 2025 contains the vendor fix; interim mitigations include application whitelisting and restricting privileged accounts.

🔒 AutomationDirect reported two vulnerabilities in CLICK Programmable Logic Controllers (PLCs) — CVE-2025-67652 and CVE-2025-25051 — that expose stored credentials and weak encoding. Both issues carry a CVSS 3.1 base score of 6.1 (Medium) and affect C0-0x, C0-1x, and C2-x product versions. AutomationDirect recommends updating CLICK PLUS and PLC firmware to V3.90; until the update can be applied, implement compensating controls such as network isolation, restricted access, application whitelisting, and enhanced logging and monitoring. CISA notes these vulnerabilities are not exploitable remotely and no public exploitation has been reported.

⚠️ Rockwell Automation's CompactLogix 5370 controllers are affected by a denial-of-service vulnerability (CVE-2025-11743) that can produce a major nonrecoverable fault requiring a restart. The issue is triggered by a malformed CIP Forward Open message and has a CVSS v3.1 base score of 6.5. Affected versions include <=34.013, <=35.012, and 36.011; fixed releases include 37.011, 34.016, 35.015, and 36.012. Rockwell reported the issue to CISA; no known public exploitation has been reported and CISA notes the vulnerability is not exploitable remotely. Users unable to upgrade should follow security best practices to limit exposure.

🔒 CISA reports two high-severity vulnerabilities in Weintek cMT X Series HMI devices that allow low-privileged users to escalate privileges and potentially take full control of affected units. Both issues (CVE-2025-14750 and CVE-2025-14751) receive a CVSS 3.1 base score of 8.3. Vendor firmware updates are available for specific models; apply vendor-supplied patches and follow network-segmentation mitigations.

⚠️ DIAView contains a command injection vulnerability (CVE-2026-0975) that allows project scripts to execute shell commands when a malicious project is opened. Successful exploitation can result in arbitrary code execution on affected installations of Delta Electronics DIAView version 4.2.0. Delta recommends updating to DIAView v4.4 or later and following defensive measures such as isolating control networks, avoiding untrusted files or links, and using secure remote access methods.

⚠️ Schneider Electric published an advisory about a side‑channel vulnerability disclosed by Intel (CVE-2018-12130) that affects EcoStruxure Foxboro DCS Virtualization Server (V91) and Standard Workstation (H92). An authenticated user with local access could exploit the CPU issue to enable information disclosure, risking loss of system functionality or unauthorized access. Schneider Electric directs customers to migrate to updated server (V95) and workstation (Dell D96) hardware or, if immediate migration is not feasible, to apply BIOS and OS security patches and follow layered defense-in-depth recommendations.

🔒 Rockwell Automation reported two high-severity vulnerabilities in Verve Asset Manager affecting legacy components: the ADI server and the Ansible playbook. Both issues can result in unencrypted sensitive information being stored in environment variables or during playbook execution and are rated CVSS 7.2 and 7.9. Rockwell states the flaws are resolved in 1.42; organizations should upgrade and contact Rockwell TechConnect for assistance. CISA also recommends minimizing network exposure and using secure remote access such as up-to-date VPNs.

⚠️ Schneider Electric warns that multiple vulnerabilities in the CODESYS Runtime System V3 communication server affect many Schneider products and third-party devices embedding CODESYS. Exploitable issues include denial-of-service and, in some configurations, remote code execution; several CVEs carry CVSS scores up to 8.8. Schneider has published patches and mitigations for many affected product families; operators should apply vendor updates and follow immediate network and access controls to reduce exposure.

🔐 The US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC) and the Federal Bureau of Investigation (FBI), alongside international partners, have released principles to secure operational technology (OT) connectivity. Led by NCSC-UK, the guidance offers a shared framework to design and manage secure connectivity across OT environments. It emphasizes embedding cybersecurity into network design to reduce exposure to both state-backed and opportunistic adversaries. The document warns that increased interconnection brings benefits such as real-time analytics and predictive maintenance, but also raises risks that could cause physical harm, environmental damage or service disruption.

🔒 Cyble's Annual Threat Landscape Report 2025 (published Jan 15, 2026) found a sharp rise in attacks against industrial environments, with ICS vulnerability disclosures nearly doubling to 2,451 across 152 vendors in 2025. The report highlights an August spike (802 disclosures) and Q3 accounting for 45.26% of disclosures. HMI and SCADA systems were increasingly exploited, with Siemens and Schneider among the most affected vendors. Cyble warns threat actors — including ransomware groups and coordinated hacktivists — will focus on exposed HMI/SCADA and VNC takeovers in 2026.

🛡️ CISA, the UK’s NCSC, the FBI and international partners published the Secure Connectivity Principles for Operational Technology (OT), a joint guide led by NCSC‑UK to mitigate insecure and exposed connectivity and defend against opportunistic and nation‑state cyber threats. The guidance provides a practical framework and eight key principles to help OT owners and operators design, secure, and manage connectivity. Agencies also urge OT device manufacturers and integrators to embrace secure‑by‑design practices and recommend organizations assess OT connectivity and implement mitigations to strengthen critical infrastructure resilience.

⚠️ Siemens reports a temporary denial-of-service vulnerability in RUGGEDCOM ROS devices that can be triggered via the TLS certificate upload process. Authenticated remote attackers may upload malformed certificate data to cause a crash and an automatic reboot (CVE-2025-40935, CWE-20), producing a brief availability outage. Siemens has published fixed firmware; update affected systems to V5.10.1 or later. CISA advises isolating control networks, minimizing internet exposure, using secure remote access, and performing impact analysis before applying mitigations.

🔒 Siemens and CISA report an authorization bypass in multiple Siemens Industrial Edge and related devices (CVE-2025-40805) that can allow an unauthenticated remote attacker who knows a legitimate user's identity to impersonate that user. Siemens has released firmware and software updates for many affected models and is preparing additional fixes. Where updates are not yet available, Siemens and CISA advise network isolation, minimizing internet exposure, use of secure remote access (VPNs), and other compensating controls to limit risk.

🔒 Schneider Electric disclosed vulnerabilities in EcoStruxure Power Build Rapsody that can cause memory corruption and buffer overflows when importing project (SSD) files. Two tracked issues — CVE-2025-13844 (double free, CVSS 5.3) and CVE-2025-13845 (use-after-free, CVSS 7.8) — may allow local attackers to execute code if a user opens a malicious file. Schneider released regional fixed builds; users should install the appropriate update, restart services, and follow recommended mitigations if patching is delayed.

⚠️ Festo SE & Co. KG and CISA report that numerous Festo firmware products contain undocumented remote-accessible functions and missing port/protocol documentation, tracked as CVE-2022-3270 with a CVSS v3.1 base score of 9.8. An unauthenticated remote attacker could leverage these undocumented protocol functions to cause full loss of confidentiality, integrity, and availability. Festo intends to address the issue by updating technical user manuals in the next product versions; operators should meanwhile reduce network exposure, enforce firewalls, and use VPNs and encrypted links.

🔒 CISA and the UK National Cyber Security Centre (NCSC-UK) issued Secure Connectivity Principles for Operational Technology (OT) to help asset owners manage increasing connectivity demands. The guidance provides an eight‑principle framework to design, secure, and operate network access into OT environments. It targets operators of essential services and aligns with federal and international collaboration. Stakeholder feedback is invited through a CISA product survey.

🔒 Siemens SIMATIC and SIPLUS ET 200 family devices contain a denial-of-service vulnerability triggered by a valid S7 protocol Disconnect Request (COTP DR TPDU) received on TCP port 102. Affected modules can enter an improper session state and become unresponsive, requiring a power cycle to recover. Siemens has released firmware updates for multiple affected products and recommends applying vendor-released fixes; where updates are not available, network mitigations such as filtering TCP port 102 to trusted addresses and isolating control networks are advised.

⚠ Siemens disclosed a local privilege escalation vulnerability (CVE-2025-40942) in TeleControl Server Basic affecting product versions earlier than V3.1.2.4. The flaw could allow an attacker with local access to execute arbitrary code with elevated privileges and is rated High under CVSS 3.1 (8.8). Siemens released V3.1.2.4 to remediate the issue. Administrators should apply the update promptly and follow network-segmentation and access-control best practices to reduce exposure.

🔒 Users of Siemens Industrial Edge Device Kit should apply updates immediately. CISA reports an authorization bypass (CVE-2025-40805) that enables unauthenticated attackers to impersonate legitimate users by abusing unsecured API endpoints; the issue is rated CVSS v3.1 10.0. Siemens has published patches for multiple arm64 and x86-64 builds (for example V1.24.2 and V1.25.1) and advises restricting network access where fixes are not yet available.