Breachbook

Operation Atlantic is a cross-border law enforcement effort to detect and disrupt crypto scams in real time, targeting approval phishing before funds are fully drained.

The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." [...]

Scammers are sending fake "Notice of Default" traffic violation text messages impersonating state courts across the U.S., pressuring recipients to scan a QR code that leads to a phishing site demanding a $6.99 payment while stealing personal and financial information. [...]

Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. [...]

Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. [...]

The draft bill, yet to be signed into law by the king, marked a significant policy change for Cambodia officials in addressing scam centers.

Telehealth giant Hims & Hers Health is warning that it suffered a data breach after support tickets were stolen from a third-party customer service platform. [...]

The Qilin ransomware group has claimed responsibility for an attack against Die Linke ('The Left'), forcing an IT systems outage at the political party, and threatening sensitive data leak. [...]

CERT-EU blamed the cybercrime group TeamPCP for the recent hack on the European Commission, and said the notorious ShinyHunters gang was responsible for leaking the stolen data online.

Multi-extortion ransomware relies on stolen data to pressure victims with public leaks. Penta Security explains how its D.AMO platform keeps exfiltrated files encrypted and useless to attackers. [...]

An executive said the social media platform could lock accounts mentioning crypto for the first time and require verification after a scammer faked reports of a tortoise's death.

Threat actors are exploiting vacant homes as "drop addresses" to intercept mail and enable fraud. Flare shows how postal services and fake identities are abused to turn mail into a fraud vector. [...]

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to login as the PROG user and modify permissions. The following versions of Yokogawa CENTUM VP are affected: CENTUM VP >=R5.01.00| CENTUM VP >=R6.01.00| CENTUM VP vR7.01.00 (CVE-2025-7741) CVSS Vendor Equipment Vulnerabilities v3 4 Yokogawa Yokogawa CENTUM VP Use of Hard-coded Password Background Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and Agriculture Countries/Areas Deployed: Worldwide Company Headquarters Location: Japan Vulnerabilities Expand All + CVE-2025-7741 Affected products contain a hardcoded password for the user account (PROG) used for CENTUM Authentication Mode within the system. Under the following conditions, there is a risk that an attacker could log in as the PROG user. The default permission for the PROG users is S1 permission (equivalent to OFFUSER). Therefore, for properly permission-controlled targets of operation and monitoring, even if an attacker logs in as the PROG user, the risk of critical operations or configuration changes being performed is considered low. If the PROG user's permissions have been changed for any reason, there is a risk that operations or configuration changes may be performed under the modified permissions. Additionally, exploiting this vulnerability requires an attacker to already have access to the HIS screen controls. View CVE Details Affected Products Yokogawa CENTUM VP Vendor: Yokogawa Product Version: Yokogawa CENTUM VP: >=R5.01.00|<R5.04.20, Yokogawa CENTUM VP: >=R6.01.00|<R6.12.00, Yokogawa CENTUM VP: vR7.01.00 Product Status: known_affected Remediations Mitigation Yokogawa recommends users applying the following mitigations to affected versions: Vendor fix CENTUM VP R5.01.00 to R5.04.20: Change the user authentication mode to Windows Authentication Mode. Vendor fix CENTUM VP R6.01.00 to R6.12.00: Change the user authentication mode to Windows Authentication Mode. Vendor fix CENTUM VP R7.01.00: Apply patch software R7.01.10. Mitigation NOTE:Changing to Windows Authentication Mode requires engineering work. If users wish to make this change, please contact Yokogawa directly https://contact.yokogawa.com/cs/gw?c-id=000498. https://contact.yokogawa.com/cs/gw?c-id=000498 Mitigation For more information and details on implementing these mitigations, users should see the Yokogawa advisory YSAR-26-0003 at https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf Relevant CWE: CWE-259 Use of Hard-coded Password Metrics CVSS Version Base Score Base Severity Vector String 3.1 4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Acknowledgments Yokogawa reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity. Revision History Initial Release Date: 2026-04-02 Date Revision Summary 2026-04-02 1 Initial Republication of YSAR-26-0003 Legal Notice and Terms of Use

A new malware-as-a-service called CrystalRAT is being promoted on Telegram, offering remote access, data theft, keylogging, and clipboard hijacking capabilities. [...]

The threat group's shift to speedy attacks on AWS, Azure, and SaaS instances shows organizations need to respond quickly to compromised credentials.

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker with access to the MAVLink interface to execute arbitrary shell commands without cryptographic authentication. The following versions of PX4 Autopilot are affected: Autopilot v1.16.0_SITL_latest_stable (CVE-2026-1579) CVSS Vendor Equipment Vulnerabilities v3 9.8 PX4 PX4 Autopilot Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Transportation Systems, Emergency Services, Defense Industrial Base Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2026-1579 The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level. View CVE Details Affected Products PX4 Autopilot Vendor: PX4 Product Version: PX4 Autopilot: v1.16.0_SITL_latest_stable Product Status: known_affected Remediations Mitigation PX4 recommends enabling MAVLink 2.0 message signing as the authentication mechanism for all non‑USB communication links. PX4 has published a security hardening guide for integrators and manufacturers at https://docs.px4.io/main/en/mavlink/security_hardening. https://docs.px4.io/main/en/mavlink/security_hardening Mitigation Message signing configuration documentation can be found at https://docs.px4.io/main/en/mavlink/message_signing. https://docs.px4.io/main/en/mavlink/message_signing Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments Dolev Aviv of Cyviation reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-31 Date Revision Summary 2026-03-31 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an authenticated low-privileged user to gain access to SMS messages outside of their authorized tenant scope via a crafted company or tenant identifier parameter. The following versions of OpenCode Systems OC Messaging and USSD Gateway are affected: OC Messaging 6.32.2 (CVE-2025-70614) USSD Gateway 6.32.2 (CVE-2025-70614) CVSS Vendor Equipment Vulnerabilities v3 8.1 OpenCode Systems OpenCode Systems OC Messaging and USSD Gateway Improper Access Control Background Critical Infrastructure Sectors: Communications Countries/Areas Deployed: Worldwide Company Headquarters Location: Bulgaria Vulnerabilities Expand All + CVE-2025-70614 OpenCode Systems Custom Messaging Gateway 6.32.2 contains a web access vulnerability allowing one authenticated user to gain access to another authenticated user's messages via a crafted identifier parameter. View CVE Details Affected Products OpenCode Systems OC Messaging and USSD Gateway Vendor: OpenCode Systems Product Version: OpenCode Systems OC Messaging: 6.32.2, OpenCode Systems USSD Gateway: 6.32.2 Product Status: known_affected Remediations Mitigation The vulnerability was identified by OpenCode Systems on January 5, 2026 and remediated on January 6, 2026 with the release of version 6.33.11. Mitigation For more information, contact OpenCode: https://opencode.com/about/contact-us https://opencode.com/about/contact-us Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Acknowledgments Hussein Amer reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-26 Date Revision Summary 2026-03-26 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device. The following versions of WAGO GmbH & Co. KG Industrial Managed Switches are affected: WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1812 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1813 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.3.S0 WAGO_Hardware_852-1813/000-001 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1816 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.8.S0 WAGO_Hardware_852-303 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1305 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1305/000-001 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1505/000-001 (CVE-2026-3587) WAGO Firmware versions prior to V1.1.9.S0 WAGO_Hardware_852-1505 (CVE-2026-3587) WAGO Firmware versions prior to V1.0.6.S0 WAGO_Hardware_852-602 (CVE-2026-3587) WAGO Firmware versions prior to V1.0.6.S0 WAGO_Hardware_852-603 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.5.S0 WAGO_Hardware_852-1605 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1812/010-000 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1813/010-000 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1816/010-000 (CVE-2026-3587) WAGO Firmware version V1.0.6.S0 WAGO_Hardware_852-602 (CVE-2026-3587) WAGO Firmware version V1.0.6.S0 WAGO_Hardware_852-603 (CVE-2026-3587) WAGO Firmware version V1.1.9.S0 WAGO_Hardware_852-1505 (CVE-2026-3587) WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1305 (CVE-2026-3587) WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1305/000-001 (CVE-2026-3587) WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1505/000-001 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1812 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1816 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1812/010-000 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813/010-000 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1816/010-000 (CVE-2026-3587) WAGO Firmware version V1.2.3.S0 WAGO_Hardware_852-1813/000-001 (CVE-2026-3587) WAGO Firmware version V1.2.5.S0 WAGO_Hardware_852-1605 (CVE-2026-3587) WAGO Firmware version V1.2.8.S0 WAGO_Hardware_852-303 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813/010-001 (CVE-2026-3587) WAGO Firmware version V1.2.1.S1 WAGO_Hardware_852-1813/010-001 (CVE-2026-3587) CVSS Vendor Equipment Vulnerabilities v3 10 WAGO WAGO GmbH & Co. KG Industrial Managed Switches Hidden Functionality Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-3587 An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device. View CVE Details Affected Products WAGO GmbH & Co. KG Industrial Managed Switches Vendor: WAGO Product Version: WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1812, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1813, WAGO WAGO Firmware versions prior to V1.2.3.S0: WAGO_Hardware_852-1813/000-001, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1816, WAGO WAGO Firmware versions prior to V1.2.8.S0: WAGO_Hardware_852-303, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1305, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1305/000-001, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1505/000-001, WAGO WAGO Firmware versions prior to V1.1.9.S0: WAGO_Hardware_852-1505, WAGO WAGO Firmware versions prior to V1.0.6.S0: WAGO_Hardware_852-602, WAGO WAGO Firmware versions prior to V1.0.6.S0: WAGO_Hardware_852-603, WAGO WAGO Firmware versions prior to V1.2.5.S0: WAGO_Hardware_852-1605, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1812/010-000, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1813/010-000, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1816/010-000, WAGO WAGO Firmware version V1.0.6.S0: WAGO_Hardware_852-602, WAGO WAGO Firmware version V1.0.6.S0: WAGO_Hardware_852-603, WAGO WAGO Firmware version V1.1.9.S0: WAGO_Hardware_852-1505, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1305, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1305/000-001, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1505/000-001, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1812, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1816, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1812/010-000, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813/010-000, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1816/010-000, WAGO WAGO Firmware version V1.2.3.S0: WAGO_Hardware_852-1813/000-001, WAGO WAGO Firmware version V1.2.5.S0: WAGO_Hardware_852-1605, WAGO WAGO Firmware version V1.2.8.S0: WAGO_Hardware_852-303, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813/010-001, WAGO WAGO Firmware version V1.2.1.S1: WAGO_Hardware_852-1813/010-001 Product Status: known_affected Remediations Mitigation WAGO has identified the following specific workarounds and mitigations users can apply to reduce risk: Product Group: WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1813/010-001, WAGO Firmware installed on WAGO Hardware 852-1813/010-001): Please update your devices to the specified fixed Firmware version. Mitigation Lean Managed Switch 852-1812, Lean Managed Switch 852-1813, Lean Managed Switch 852-1813/000-001, Lean Managed Switch 852-1816, Lean Managed Switch 852-1812/010-000, Lean Managed Switch 852-1813/010-000, Lean Managed Switch 852-1816/010-000, Lean Managed Switch 852-1813/010-001: To eliminate the attack vector deactivate ssh and telnet on the device. Mitigation Industrial Managed Switch 852-303, Industrial Managed Switch 852-1305, Industrial Managed Switch 852-1305/000-001, Industrial Managed Switch 852-1505/000-001, Industrial Managed Switch 852-1505, Industrial Managed Switch 852-602, Industrial Managed Switch 852-603, Industrial Managed Switch 852-1605: To reduce the attack vector deactivate ssh and telnet on the devices. This ensures that the CLI is only accessible locally via RS232. Mitigation The following product versions have been fixed: Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.3.S1 installed on Lean Managed Switch 852-1813/000-001 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.8.S1 installed on Industrial Managed Switch 852-303 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305/000-001 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1505/000-001 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.1.9.S1 installed on Industrial Managed Switch 852-1505 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-602 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-603 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.5.S1 installed on Industrial Managed Switch 852-1605 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812/010-000 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-000 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816/010-000 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-001 are fixed versions for CVE-2026-3587 Mitigation For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json. https://www.wago.com/de-en/automation-technology/psirt Mitigation For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json. https://certvde.com/en/advisories/VDE-2026-020 Mitigation For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json. https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json Relevant CWE: CWE-912 Hidden Functionality Metrics CVSS Version Base Score Base Severity Vector String 3.1 10 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Acknowledgments CERT@VDE coordination reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-26 Date Revision Summary 2026-03-26 1 Initial Republication of WAGO GmbH & Co. KG VDE-2026-020 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution. The following versions of PTC Windchill Product Lifecycle Management are affected: Windchill PDMLink 11.0_M030 (CVE-2026-4681) Windchill PDMLink 11.1_M020 (CVE-2026-4681) Windchill PDMLink 11.2.1.0 (CVE-2026-4681) Windchill PDMLink 12.0.2.0 (CVE-2026-4681) Windchill PDMLink 12.1.2.0 (CVE-2026-4681) Windchill PDMLink 13.0.2.0 (CVE-2026-4681) Windchill PDMLink 13.1.0.0 (CVE-2026-4681) Windchill PDMLink 13.1.1.0 (CVE-2026-4681) Windchill PDMLink 13.1.2.0 (CVE-2026-4681) Windchill PDMLink 13.1.3.0 (CVE-2026-4681) FlexPLM 11.0_M030 (CVE-2026-4681) FlexPLM 11.1_M020 (CVE-2026-4681) FlexPLM 11.2.1.0 (CVE-2026-4681) FlexPLM 12.0.0.0 (CVE-2026-4681) FlexPLM 12.0.2.0 (CVE-2026-4681) FlexPLM 12.0.3.0 (CVE-2026-4681) FlexPLM 12.1.2.0 (CVE-2026-4681) FlexPLM 12.1.3.0 (CVE-2026-4681) FlexPLM 13.0.2.0 (CVE-2026-4681) FlexPLM 13.0.3.0 (CVE-2026-4681) CVSS Vendor Equipment Vulnerabilities v3 10 PTC PTC Windchill Product Lifecycle Management Improper Control of Generation of Code ('Code Injection') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-4681 A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0. View CVE Details Affected Products PTC Windchill Product Lifecycle Management Vendor: PTC Product Version: PTC Windchill PDMLink: 11.0_M030, PTC Windchill PDMLink: 11.1_M020, PTC Windchill PDMLink: 11.2.1.0, PTC Windchill PDMLink: 12.0.2.0, PTC Windchill PDMLink: 12.1.2.0, PTC Windchill PDMLink: 13.0.2.0, PTC Windchill PDMLink: 13.1.0.0, PTC Windchill PDMLink: 13.1.1.0, PTC Windchill PDMLink: 13.1.2.0, PTC Windchill PDMLink: 13.1.3.0, PTC FlexPLM: 11.0_M030, PTC FlexPLM: 11.1_M020, PTC FlexPLM: 11.2.1.0, PTC FlexPLM: 12.0.0.0, PTC FlexPLM: 12.0.2.0, PTC FlexPLM: 12.0.3.0, PTC FlexPLM: 12.1.2.0, PTC FlexPLM: 12.1.3.0, PTC FlexPLM: 13.0.2.0, PTC FlexPLM: 13.0.3.0 Product Status: known_affected Remediations Mitigation PTC is aware of the issue and is actively developing a fix. In the meantime, PTC recommends applying the recommended workaround. Until official patches are available, customers must take urgent steps to safeguard their environments. Specifically: Protect any publicly accessible Windchill systems Vendor fix While publicly accessible Windchill and FlexPLM systems are at higher risk and require immediate attention, PTC strongly recommends applying the mitigation steps to all deployments, regardless of Internet exposure Vendor fix Apply the same precautions to FlexPLM deployments Vendor fix The following Apache and IIS HTTP Server configuration update should be IMMEDIATELY applied to every Windchill or FlexPLM system: Customers using Apache HTTP Server should only follow "Apache HTTP Server Configuration – Workaround Steps" section steps Mitigation Customers using Microsoft IIS should only follow "IIS Configuration - Workaround Steps" section steps Mitigation Please explicitly note that the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable Mitigation For Windchill releases prior to 11.0 M030, workarounds may need to be altered to apply to unsupported previous releases Mitigation For Apache HTTP Server and IIS configuration workaround steps, please refer to the official advisory at:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability. https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability Mitigation If immediate remediation is not feasible, additional guidance and remediation options are available:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability. https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability Relevant CWE: CWE-94 Improper Control of Generation of Code ('Code Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 10 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Acknowledgments An anonymous source reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-26 Date Revision Summary 2026-03-26 1 Initial Republication of PTC's CS466318 Legal Notice and Terms of Use

A series of campaigns that began in August aim to defraud job candidates, using psychological tactics and data scraped from LinkedIn profiles.

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send a specially crafted file, and when parsed, could result in a denial-of-service condition. The following versions of Grassroots DICOM (GDCM) are affected: Grassroots DICOM (GDCM) 3.2.2 (CVE-2026-3650) CVSS Vendor Equipment Vulnerabilities v3 7.5 Grassroots Grassroots DICOM (GDCM) Missing Release of Memory after Effective Lifetime Background Critical Infrastructure Sectors: Healthcare and Public Health Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-3650 A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it. View CVE Details Affected Products Grassroots DICOM (GDCM) Vendor: Grassroots Product Version: Grassroots Grassroots DICOM (GDCM): 3.2.2 Product Status: known_affected Remediations Mitigation The maintainer of Grassroots DICOM (GDCM) has not responded to requests to work with CISA to mitigate this vulnerability. For update information refer to the software page on SourceForge. Mitigation https://sourceforge.net/projects/gdcm/. https://sourceforge.net/projects/gdcm/ Relevant CWE: CWE-401 Missing Release of Memory after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Acknowledgments Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-24 Date Revision Summary 2026-03-24 1 Initial Publication. Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary commands with root privileges. The following versions of Pharos Controls Mosaic Show Controller are affected: Mosaic Show Controller Firmware 2.15.3 (CVE-2026-2417) CVSS Vendor Equipment Vulnerabilities v3 9.8 Pharos Controls Pharos Controls Mosaic Show Controller Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: United Kingdom Vulnerabilities Expand All + CVE-2026-2417 A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges. View CVE Details Affected Products Pharos Controls Mosaic Show Controller Vendor: Pharos Controls Product Version: Pharos Controls Mosaic Show Controller Firmware: 2.15.3 Product Status: known_affected Remediations Mitigation Pharos Controls recommends that users upgrade Mosaic Show Controller to version 2.16 or later. Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments James Tully reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-24 Date Revision Summary 2026-03-24 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could risk privilege escalation, which could result in remote code execution. The following versions of Schneider Electric Plant iT/Brewmaxx are affected: Plant iT/Brewmaxx 9.60_and_above (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819) CVSS Vendor Equipment Vulnerabilities v3 9.9 Schneider Electric Schneider Electric Plant iT/Brewmaxx Use After Free, Integer Overflow or Wraparound, Improper Control of Generation of Code ('Code Injection') Background Critical Infrastructure Sectors: Energy, Critical Manufacturing, Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2025-49844 The affected product uses Redis, an open-source, in-memory database. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. View CVE Details Affected Products Schneider Electric Plant iT/Brewmaxx Vendor: Schneider Electric Product Version: Schneider Electric Plant iT/Brewmaxx: 9.60_and_above Product Status: known_affected Remediations Mitigation Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit: Mitigation Install Patch ProLeiT-2025-001 via ProLeiT Support https://www.proleit.com/support/ Mitigation After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality Mitigation Force usage of secure Redis configuration templates in system settings as documented in the patch manual Mitigation Restart all patched servers and workstations Mitigation Schneider Electric strongly recommends the following industry cybersecurity best practices. Mitigation Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Mitigation Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. Mitigation Place all controllers in locked cabinets and never leave them in the "Program" mode. Mitigation Never connect programming software to any network other than the network intended for that device. Mitigation Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. Mitigation Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. Mitigation Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. Mitigation When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. Mitigation For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. https://www.se.com/us/en/download/document/7EN52-0390/ Vendor fix For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx" https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2025-46817 The affected product uses Redis, an open-source, in-memory database. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution View CVE Details Affected Products Schneider Electric Plant iT/Brewmaxx Vendor: Schneider Electric Product Version: Schneider Electric Plant iT/Brewmaxx: 9.60_and_above Product Status: known_affected Remediations Mitigation Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit: Mitigation Install Patch ProLeiT-2025-001 via ProLeiT Support https://www.proleit.com/support/ Mitigation After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality Mitigation Force usage of secure Redis configuration templates in system settings as documented in the patch manual Mitigation Restart all patched servers and workstations Mitigation Schneider Electric strongly recommends the following industry cybersecurity best practices. Mitigation Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Mitigation Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. Mitigation Place all controllers in locked cabinets and never leave them in the "Program" mode. Mitigation Never connect programming software to any network other than the network intended for that device. Mitigation Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. Mitigation Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. Mitigation Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. Mitigation When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. Mitigation For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. https://www.se.com/us/en/download/document/7EN52-0390/ Vendor fix For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx" https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-46818 The affected product uses Redis, an open-source, in-memory database. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. View CVE Details Affected Products Schneider Electric Plant iT/Brewmaxx Vendor: Schneider Electric Product Version: Schneider Electric Plant iT/Brewmaxx: 9.60_and_above Product Status: known_affected Remediations Mitigation Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit: Mitigation Install Patch ProLeiT-2025-001 via ProLeiT Support https://www.proleit.com/support/ Mitigation After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality Mitigation Force usage of secure Redis configuration templates in system settings as documented in the patch manual Mitigation Restart all patched servers and workstations Mitigation Schneider Electric strongly recommends the following industry cybersecurity best practices. Mitigation Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Mitigation Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. Mitigation Place all controllers in locked cabinets and never leave them in the "Program" mode. Mitigation Never connect programming software to any network other than the network intended for that device. Mitigation Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. Mitigation Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. Mitigation Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. Mitigation When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. Mitigation For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. https://www.se.com/us/en/download/document/7EN52-0390/ Vendor fix For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx" https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf Relevant CWE: CWE-94 Improper Control of Generation of Code ('Code Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2025-46819 The affected product uses Redis, an open-source, in-memory database. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. View CVE Details Affected Products Schneider Electric Plant iT/Brewmaxx Vendor: Schneider Electric Product Version: Schneider Electric Plant iT/Brewmaxx: 9.60_and_above Product Status: known_affected Remediations Mitigation Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit: Mitigation Install Patch ProLeiT-2025-001 via ProLeiT Support https://www.proleit.com/support/ Mitigation After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality Mitigation Force usage of secure Redis configuration templates in system settings as documented in the patch manual Mitigation Restart all patched servers and workstations Mitigation Schneider Electric strongly recommends the following industry cybersecurity best practices. Mitigation Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Mitigation Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. Mitigation Place all controllers in locked cabinets and never leave them in the "Program" mode. Mitigation Never connect programming software to any network other than the network intended for that device. Mitigation Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. Mitigation Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. Mitigation Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. Mitigation When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. Mitigation For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. https://www.se.com/us/en/download/document/7EN52-0390/ Vendor fix For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx" https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H Acknowledgments Schneider Electric reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-24 Date Revision Summary 2026-03-24 1 Initial Republication of SEVD-2026-013-01 Legal Notice and Terms of Use

A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran's time zone or have Farsi set as the default language.

CISA and the Federal Bureau of Investigation released a Public Service Announcement (PSA) warning about ongoing phishing campaigns by cyber actors associated with the Russian Intelligence Services targeting commercial messaging applications (CMAs). These campaigns aim to bypass encryption to compromise to individual user accounts with targets including current and former U.S. government officials, military personnel, political figures, and journalists.   Evidence shows that cyber actors have been able to compromise individual CMA accounts, but not encryption of the applications themselves. The actors’ global campaigns have resulted in unauthorized access to thousands of individual CMA accounts to view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts.   CISA and FBI urge CMA users to review the PSA, follow recommended cybersecurity practices, and remain vigilant for suspicious activity.

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the product. The following versions of Schneider Electric Modicon M241, M251, and M262 are affected: Modicon M241 versions prior to 5.4.13.12 Modicon_Controller_M241 Modicon M251 versions prior to 5.4.13.12 Modicon_Controller_M251 Modicon M262 versions prior to 5.4.10.12 Modicon_Controller_M262 CVSS Vendor Equipment Vulnerabilities v3 5.3 Schneider Electric Schneider Electric Modicon M241, M251, and M262 Improper Resource Shutdown or Release Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2025-13901 CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels. View CVE Details Affected Products Schneider Electric Modicon M241, M251, and M262 Vendor: Schneider Electric Product Version: Schneider Electric Modicon M241 versions prior to 5.4.13.12: Modicon_Controller_M241, Schneider Electric Modicon M251 versions prior to 5.4.13.12: Modicon_Controller_M251, Schneider Electric Modicon M262 versions prior to 5.4.10.12: Modicon_Controller_M262 Product Status: known_affected Remediations Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation Modicon Controller M262 Firmware version 5.4.10.12 delivered with EcoStruxure™ Machine Expert v2.5 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M262 to the latest Firmware and perform reboot. For instructions refer to Modicon M262 Logic/Motion Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Modicon Controller M262 Firmware version 5.4.10.12 delivered with EcoStruxure™ Machine Expert v2.5 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M262 to the latest Firmware and perform reboot. For instructions refer to Modicon M262 Logic/Motion Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-01 Improper Resource Shutdown or Release vulnerability in Multiple Products - SEVD-2026-069-01 PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-01.pdf. Improper Resource Shutdown or Release vulnerability in Multiple Products - SEVD-2026-069-01 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-01.json. https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-01.pdf Mitigation All affected products: If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Filter ports and IP through the embedded firewall. Use encrypted communication links. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242. https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242 Relevant CWE: CWE-404 Improper Resource Shutdown or Release Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Acknowledgments Amir Zaltzman of Claroty Team82 reported this vulnerability to Schneider Electric Schneider Electric reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-19 Date Revision Summary 2026-03-19 1 Initial Republication of Schneider Electric CPCERT SEVD-2026-069-01 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to read, intercept, or modify communications. The following versions of Automated Logic WebCTRL Premium Server are affected: WebCTRL Premium Server CVSS Vendor Equipment Vulnerabilities v3 9.1 Automated Logic Automated Logic WebCTRL Premium Server Multiple Binds to the Same Port, Authentication Bypass by Spoofing, Cleartext Transmission of Sensitive Information Background Critical Infrastructure Sectors: Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-25086 Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software. View CVE Details Affected Products Automated Logic WebCTRL Premium Server Vendor: Automated Logic Product Version: Automated Logic WebCTRL Premium Server: <v8.5 Product Status: known_affected Remediations Mitigation Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC. Mitigation For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/. https://www.automatedlogic.com/en/company/security-commitment/ Relevant CWE: CWE-605 Multiple Binds to the Same Port Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.7 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2026-32666 WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate. View CVE Details Affected Products Automated Logic WebCTRL Premium Server Vendor: Automated Logic Product Version: Automated Logic WebCTRL Premium Server: <v8.5 Product Status: known_affected Remediations Mitigation Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC. Mitigation For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/. https://www.automatedlogic.com/en/company/security-commitment/ Relevant CWE: CWE-290 Authentication Bypass by Spoofing Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-24060 Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered. View CVE Details Affected Products Automated Logic WebCTRL Premium Server Vendor: Automated Logic Product Version: Automated Logic WebCTRL Premium Server: <v8.5 Product Status: known_affected Remediations Mitigation Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC. Mitigation For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/. https://www.automatedlogic.com/en/company/security-commitment/ Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Acknowledgments Jonathan Lee, Thuy D. Nguyen and Neil C. Rowe of the Naval Postgraduate School reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-19 Date Revision Summary 2026-03-19 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability may risk a Cross-site Scripting or an open redirect attack which could result in an account takeover scenario or the execution of code in the user browser. The following versions of Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 are affected: Modicon M241 versions prior to 5.4.13.12 Modicon_Controller_M241 Modicon M251 versions prior to 5.4.13.12 Modicon_Controller_M251 Modicon Controllers M258 all firmware versions Modicon_Controllers_M258 Modicon Controllers LMC058 all firmware versions Modicon_Controllers_LMC058 CVSS Vendor Equipment Vulnerabilities v3 5.4 Schneider Electric Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2025-13902 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim's browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload. View CVE Details Affected Products Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 Vendor: Schneider Electric Product Version: Schneider Electric Modicon M241 versions prior to 5.4.13.12: Modicon_Controller_M241, Schneider Electric Modicon M251 versions prior to 5.4.13.12: Modicon_Controller_M251, Schneider Electric Modicon Controllers M258 all firmware versions: Modicon_Controllers_M258, Schneider Electric Modicon Controllers LMC058 all firmware versions: Modicon_Controllers_LMC058 Product Status: known_affected Remediations Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/EIO0000003059/ Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/us/en/download/document/EIO0000003089/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER Mitigation If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242. https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242 Mitigation Modicon Controllers M258 and Modicon Controllers LMC058: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242. https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242 Mitigation For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json. https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf Mitigation For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json. https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Acknowledgments Amir Zaltzman of Claroty Team82 reported this vulnerability to Schneider Electric Schneider Electric reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-19 Date Revision Summary 2026-03-19 1 Initial Republication of Schneider Electric CPCERT SEVD-2026-069-02 Legal Notice and Terms of Use

CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.1 To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions. To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software:  Use principles of least privilege when designing administrative roles. Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to. Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene. Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune. Configure access policies to require Multi Admin Approval in Microsoft Intune. Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.   Additionally, CISA recommends reviewing the following resources to strengthen defenses against similar malicious cyber activity: Microsoft resources: For recommendations on securing Microsoft Intune, see Best practices for securing Microsoft Intune. For guidance on implementing Multi Admin Approval in Microsoft Intune, see Use Access policies to implement Multi Admin Approval. For recommendations on configuring Microsoft Intune using zero trust principles, see Configure Microsoft Intune for increased security. For guidance on implementing Microsoft Intune RBAC policies, see Role-based access control (RBAC) with Microsoft Intune. For guidance on deploying Privileged Identity Management (PIM) across Microsoft Intune, Entra ID, and other Microsoft software, see Plan a Privileged Identity Management deployment.   CISA resources: For guidance on implementing phishing-resistant multifactor authentication (MFA), see Implementing Phishing-Resistant MFA.  Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.   Acknowledgements Microsoft and Stryker contributed to this alert.  Notes 1 For updates from Stryker on the incident, see “Customer Updates: Stryker Network Disruption,” Stryker, last modified March 15, 2026, https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html.

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the target and the legitimate site -- forwarding the victim's username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.