Breachbook

Two former executives of a call-tracking and analytics company pleaded guilty to concealing a years-long tech support fraud scheme that victimized individuals worldwide. [...]

Fraud losses don't stop at chargebacks. False declines, account takeovers, and abuse also damage revenue and trust. IPQS breaks down why fraud teams need broader visibility into risk and customer impact. [...]

The hacker behind the Verus bridge exploit returned 75% of the stolen funds as part of a recovery deal negotiated with the protocol days after the incident.

Apple revealed that it blocked over $11 billion in fraudulent App Store transactions over the last six years, more than $2.2 billion in potentially fraudulent App Store transactions in 2025 alone. [...]

Modern crypto drainers don't hack wallets. They trick users into approving malicious transactions. Flare explores how the Lucifer DaaS platform scales wallet theft through phishing and automation. [...]

A virtual private network service called 'First VPN,' used in ransomware and data theft attacks, has been taken offline in a joint international law enforcement operation. [...]

The loophole allows spammers and scammers to send emails from a legitimate Microsoft email address typically used for sending genuine account alerts.

The lawsuit followed an investigation by Missouri authorities into several crypto ATM companies that involve allegations of “deceptive fee structures” and scams.

The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. [...]

GitHub confirmed a data breach this week involving the theft of thousands of developer code repositories. One threat actor — TeamPCP — took credit.

The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions.

Identity checks alone can't stop attackers using stolen session tokens and compromised devices. Specops Software outlines why Zero Trust strategies increasingly depend on continuous device verification. [...]

PinTheft, a recently patched Linux privilege escalation vulnerability, now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. [...]

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to perform unauthenticated remote code execution. The following versions of ScadaBR are affected: ScadaBR 1.2.0 (CVE-2026-8602, CVE-2026-8603, CVE-2026-8604, CVE-2026-8605) CVSS Vendor Equipment Vulnerabilities v3 9.1 ScadaBR ScadaBR Missing Authentication for Critical Function, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Cross-Site Request Forgery (CSRF), Use of Hard-coded Credentials Background Critical Infrastructure Sectors: Critical Manufacturing, Dams, Chemical, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Brazil Vulnerabilities Expand All + CVE-2026-8602 In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings. View CVE Details Affected Products ScadaBR Vendor: ScadaBR Product Version: ScadaBR ScadaBR: 1.2.0 Product Status: known_affected Remediations Vendor fix ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR. https://github.com/ScadaBR Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2026-8603 In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. View CVE Details Affected Products ScadaBR Vendor: ScadaBR Product Version: ScadaBR ScadaBR: 1.2.0 Product Status: known_affected Remediations Vendor fix ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR. https://github.com/ScadaBR Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-8604 In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage. View CVE Details Affected Products ScadaBR Vendor: ScadaBR Product Version: ScadaBR ScadaBR: 1.2.0 Product Status: known_affected Remediations Vendor fix ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR. https://github.com/ScadaBR Relevant CWE: CWE-352 Cross-Site Request Forgery (CSRF) Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-8605 In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin. View CVE Details Affected Products ScadaBR Vendor: ScadaBR Product Version: ScadaBR ScadaBR: 1.2.0 Product Status: known_affected Remediations Vendor fix ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR. https://github.com/ScadaBR Relevant CWE: CWE-798 Use of Hard-coded Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Acknowledgments Arad Inbar, Nir Somech, Ben Grinberg, Daniel Lubel, Erez Cohen, and Adiel Sol of DREAM reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-05-19 Date Revision Summary 2026-05-19 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to take control of the victim's browser. The following versions of Kieback & Peter DDC Building Controllers are affected: DDC4002 <=1.12.14 (CVE-2026-4293) DDC4100 <=1.12.14 (CVE-2026-4293) DDC4200 <=1.12.14 (CVE-2026-4293) DDC4200-L <=1.12.14 (CVE-2026-4293) DDC4400 <=1.12.14 (CVE-2026-4293) DDC4002e <=1.23.4 (CVE-2026-4293) DDC4200e <=1.23.4 (CVE-2026-4293) DDC4400e <=1.23.4 (CVE-2026-4293) DDC4020e <=1.23.4 (CVE-2026-4293) DDC4040e <=1.23.4 (CVE-2026-4293) DDC520 <=1.24.1 (CVE-2026-4293) CVSS Vendor Equipment Vulnerabilities v3 5.3 Kieback & Peter Kieback & Peter DDC Building Controllers Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Background Critical Infrastructure Sectors: Commercial Facilities, Communications, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology Countries/Areas Deployed: Austria, China, France, Germany, United Arab Emirates Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-4293 The affected products are vulnerable to cross-site scripting (XSS), enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser. View CVE Details Affected Products Kieback & Peter DDC Building Controllers Vendor: Kieback & Peter Product Version: Kieback & Peter DDC4002: <=1.12.14, Kieback & Peter DDC4100: <=1.12.14, Kieback & Peter DDC4200: <=1.12.14, Kieback & Peter DDC4200-L: <=1.12.14, Kieback & Peter DDC4400: <=1.12.14, Kieback & Peter DDC4002e: <=1.23.4, Kieback & Peter DDC4200e: <=1.23.4, Kieback & Peter DDC4400e: <=1.23.4, Kieback & Peter DDC4020e: <=1.23.4, Kieback & Peter DDC4040e: <=1.23.4, Kieback & Peter DDC520: <=1.24.1 Product Status: known_affected Remediations Mitigation Kieback & Peter DDC Building Controllers are developed and designed for use in closed building automation networks. The system is protected by a multi-level perimeter against attacks, especially from outside, by dividing it into operational technology (OT) zones with firewalls. Building automation systems (BA systems) in general should not be directly accessible from untrusted networks, especially from the Internet, but should be protected by consistently applying the defense-in-depth strategy. This concept is supported by organizational measures in the building as part of a safety management system. In order to achieve safety, measures are required at all levels. Vendor fix The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: These devices must be operated in a strictly separate OT environment. Vendor fix The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Only trusted individuals should be granted network access to the DDC web portal. Vendor fix The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Access to the web portal should be disabled in the device configuration if not required. Vendor fix The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Users should be informed that only links from trusted sources should be used to access the web service. Vendor fix For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter recommends the following safety measure: Restrict network access to the device Vendor fix For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter recommends the following safety measure: Do not directly connect the device to the Internet Vendor fix Update the firmware to the latest available version: DDC4002e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC4200e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC4400e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC4020e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC4040e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC520 -> Update to version 1.24.2 or newer Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Acknowledgments Maximilian Hildebrand of G DATA Advanced Analytics reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-05-19 Date Revision Summary 2026-05-19 1 Initial Publication Legal Notice and Terms of Use

Attackers uniquely fingerprint victims before delivering spear-phishing payloads aimed at espionage, in the latest campaign from the Belarussian nation-state threat group.

OpenAI said the damage was limited to the employees’ devices, and did not affect user data nor its production systems, and none of its intellectual property was stolen.

Cargo theft now starts with phishing emails and stolen credentials, not hijackings, to reroute and steal freight from supply chains. NMFTA outlines how cyber-enabled cargo crime is changing transportation security. [...]

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code. The following versions of Universal Robots Polyscope 5 are affected: Polyscope 5 <5.25.1  CVSS Vendor Equipment Vulnerabilities v3 9.8 Universal Robots Universal Robots Polyscope 5 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Denmark Vulnerabilities Expand All + CVE-2026-8153 OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS. View CVE Details Affected Products Universal Robots Polyscope 5 Vendor: Universal Robots Product Version: Universal Robots Polyscope 5: <5.25.1 Product Status: known_affected Remediations Vendor fix Universal Robots has released Polyscope 5 version 5.25.1.For more information, see Universal Robots article: https://www.universal-robots.com/articles/ur/cybersecurity/cve-2026-8153-command-injection-in-the-polyscope-5-dashboard-server/. https://www.universal-robots.com/articles/ur/cybersecurity/cve-2026-8153-command-injection-in-the-polyscope-5-dashboard-server/ Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments Vera Mens of Claroty Team82 reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-05-14 Date Revision Summary 2026-05-14 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary SIMATIC S7 PLCs contain multiple vulnerabilities in the web server that could allow an attacker to perform cross-site scripting attacks. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. The following versions of Siemens SIMATIC S7 PLC Web Server are affected: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517-3 PN (6ES7517-3AQ10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517F-3 PN (6ES7517-3FQ10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517T-3 PN (6ES7517-3TQ10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517TF-3 PN (6ES7517-3UQ10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518-3 PN (6ES7518-3AT10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518F-3 PN (6ES7518-3FT10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518T-3 PN (6ES7518-3TT10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518TF-3 PN (6ES7518-3UT10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S F V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S F V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S F V4 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S V4 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S F V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S F V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S F V4 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S T V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S TF V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S V4 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller Linux V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller Linux V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-PLCSIM Advanced vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) CVSS Vendor Equipment Vulnerabilities v3 9.1 Siemens Siemens SIMATIC S7 PLC Web Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Background Critical Infrastructure Sectors: Chemical, Energy, Food and Agriculture, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-25786 Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "communication" parameters page, the malicious code would be executed in the scope of their web session. View CVE Details Affected Products Siemens SIMATIC S7 PLC Web Server Vendor: Siemens Product Version: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs, SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN (6ES7517-3AQ10-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN (6ES7517-3FQ10-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN (6ES7517-3TQ10-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN (6ES7517-3UQ10-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-3 PN (6ES7518-3AT10-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-3 PN (6ES7518-3FT10-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518T-3 PN (6ES7518-3TT10-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-3 PN (6ES7518-3UT10-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0), SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0), SIMATIC S7-1500 Software Controller CPU 1507S F V2, SIMATIC S7-1500 Software Controller CPU 1507S F V3, SIMATIC S7-1500 Software Controller CPU 1507S F V4, SIMATIC S7-1500 Software Controller CPU 1507S V2, SIMATIC S7-1500 Software Controller CPU 1507S V3, SIMATIC S7-1500 Software Controller CPU 1507S V4, SIMATIC S7-1500 Software Controller CPU 1508S F V2, SIMATIC S7-1500 Software Controller CPU 1508S F V3, SIMATIC S7-1500 Software Controller CPU 1508S F V4, SIMATIC S7-1500 Software Controller CPU 1508S T V3, SIMATIC S7-1500 Software Controller CPU 1508S TF V3, SIMATIC S7-1500 Software Controller CPU 1508S V2, SIMATIC S7-1500 Software Controller CPU 1508S V3, SIMATIC S7-1500 Software Controller CPU 1508S V4, SIMATIC S7-1500 Software Controller Linux V2, SIMATIC S7-1500 Software Controller Linux V3, SIMATIC S7-PLCSIM Advanced, SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0), SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0), SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0) Product Status: known_affected Remediations Mitigation Restrict TIA project download to trusted personnel only. No fix planned Currently no fix is planned None available Currently no fix is available Vendor fix Update to V2.9.9 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109773914/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2026-25787 Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "Motion Control Diagnostics" parameters page, the malicious code would be executed in the scope of their web session. View CVE Details Affected Products Siemens SIMATIC S7 PLC Web Server Vendor: Siemens Product Version: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs, SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN (6ES7517-3AQ10-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN (6ES7517-3FQ10-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN (6ES7517-3TQ10-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN (6ES7517-3UQ10-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-3 PN (6ES7518-3AT10-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-3 PN (6ES7518-3FT10-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518T-3 PN (6ES7518-3TT10-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-3 PN (6ES7518-3UT10-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0), SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0), SIMATIC S7-1500 Software Controller CPU 1507S F V2, SIMATIC S7-1500 Software Controller CPU 1507S F V3, SIMATIC S7-1500 Software Controller CPU 1507S F V4, SIMATIC S7-1500 Software Controller CPU 1507S V2, SIMATIC S7-1500 Software Controller CPU 1507S V3, SIMATIC S7-1500 Software Controller CPU 1507S V4, SIMATIC S7-1500 Software Controller CPU 1508S F V2, SIMATIC S7-1500 Software Controller CPU 1508S F V3, SIMATIC S7-1500 Software Controller CPU 1508S F V4, SIMATIC S7-1500 Software Controller CPU 1508S T V3, SIMATIC S7-1500 Software Controller CPU 1508S TF V3, SIMATIC S7-1500 Software Controller CPU 1508S V2, SIMATIC S7-1500 Software Controller CPU 1508S V3, SIMATIC S7-1500 Software Controller CPU 1508S V4, SIMATIC S7-1500 Software Controller Linux V2, SIMATIC S7-1500 Software Controller Linux V3, SIMATIC S7-PLCSIM Advanced, SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0), SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0), SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0) Product Status: known_affected Remediations Mitigation Restrict TIA project download to trusted personnel only. No fix planned Currently no fix is planned None available Currently no fix is available Vendor fix Update to V2.9.9 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109773914/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2026-25789 Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the authenticated user's session without requiring the file to be uploaded, potentially leading to session hijacking or credential theft. View CVE Details Affected Products Siemens SIMATIC S7 PLC Web Server Vendor: Siemens Product Version: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs, SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN (6ES7517-3AQ10-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN (6ES7517-3FQ10-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN (6ES7517-3TQ10-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN (6ES7517-3UQ10-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-3 PN (6ES7518-3AT10-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-3 PN (6ES7518-3FT10-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518T-3 PN (6ES7518-3TT10-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-3 PN (6ES7518-3UT10-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0), SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0), SIMATIC S7-1500 Software Controller CPU 1507S F V2, SIMATIC S7-1500 Software Controller CPU 1507S F V3, SIMATIC S7-1500 Software Controller CPU 1507S F V4, SIMATIC S7-1500 Software Controller CPU 1507S V2, SIMATIC S7-1500 Software Controller CPU 1507S V3, SIMATIC S7-1500 Software Controller CPU 1507S V4, SIMATIC S7-1500 Software Controller CPU 1508S F V2, SIMATIC S7-1500 Software Controller CPU 1508S F V3, SIMATIC S7-1500 Software Controller CPU 1508S F V4, SIMATIC S7-1500 Software Controller CPU 1508S T V3, SIMATIC S7-1500 Software Controller CPU 1508S TF V3, SIMATIC S7-1500 Software Controller CPU 1508S V2, SIMATIC S7-1500 Software Controller CPU 1508S V3, SIMATIC S7-1500 Software Controller CPU 1508S V4, SIMATIC S7-1500 Software Controller Linux V2, SIMATIC S7-1500 Software Controller Linux V3, SIMATIC S7-PLCSIM Advanced, SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0), SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0), SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0) Product Status: known_affected Remediations Mitigation Restrict access to the function right "firmware update" to instructed personnel. No fix planned Currently no fix is planned None available Currently no fix is available Vendor fix Update to V2.9.9 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109773914/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Acknowledgments Siemens ProductCERT reported these vulnerabilities to CISA. Lukas Sohrmann reported these vulnerabilities to Siemens. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-688146 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-688146 advisory Legal Notice and Terms of Use

Twenty FTX victims are suing Fenwick & West, claiming the law firm didn’t just represent FTX, it helped build the infrastructure that kept the fraud running.

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to elevate privileges from user to system, which may then enable the attacker to cause a temporary denial of service, open files, or delete files. The following versions of Fuji Electric Tellus are affected: Tellus 5.0.2 CVSS Vendor Equipment Vulnerabilities v3 7.8 Fuji Electric Fuji Electric Tellus Exposed Dangerous Method or Function Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Japan Vulnerabilities Expand All + CVE-2026-8108 The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions. View CVE Details Affected Products Fuji Electric Tellus Vendor: Fuji Electric Product Version: Fuji Electric Tellus: 5.0.2 Product Status: known_affected Remediations Vendor fix Fuji Electric recommends that Tellus be installed only with administrator privileges. Relevant CWE: CWE-749 Exposed Dangerous Method or Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Acknowledgments Kim Myung-gyu of Trend Micro Zero Day Initiative reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could allow an authenticated attacker to expose sensitive information or cause a CRLF injection. The following versions of Subnet Solutions PowerSYSTEM Center are affected: PowerSYSTEM Center 2020 <=5.28.x (CVE-2026-35504) PowerSYSTEM Center 2020 >=5.8.x|<=5.28.x (CVE-2026-26289) PowerSYSTEM Center 2020 >=5.11.x|<=5.28.x (CVE-2026-33570) PowerSYSTEM Center 2024 >=6.0.x|<=6.1.x (CVE-2026-26289, CVE-2026-35555, CVE-2026-35504) PowerSYSTEM Center 2026 7.0.x (CVE-2026-26289, CVE-2026-35555, CVE-2026-35504) CVSS Vendor Equipment Vulnerabilities v3 8.2 Subnet Solutions Inc. Subnet Solutions PowerSYSTEM Center Incorrect Authorization, Improper Neutralization of CRLF Sequences ('CRLF Injection') Background Critical Infrastructure Sectors: Critical Manufacturing, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Canada Vulnerabilities Expand All + CVE-2026-26289 PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only. View CVE Details Affected Products Subnet Solutions PowerSYSTEM Center Vendor: Subnet Solutions Inc. Product Version: Subnet Solutions Inc. PowerSYSTEM Center 2020: >=5.8.x|<=5.28.x, Subnet Solutions Inc. PowerSYSTEM Center 2024: >=6.0.x|<=6.1.x, Subnet Solutions Inc. PowerSYSTEM Center 2026: 7.0.x Product Status: known_affected Remediations Mitigation Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. Mitigation For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at support@subnet.com. mailto:support@subnet.com Mitigation Subnet Solutions recommends users do the following in order to reduce risk: Monitor user activity records to ensure users are following acceptable usage policies of the application. Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. Configure a notification rule that triggers in any bulk account export activity. Relevant CWE: CWE-863 Incorrect Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.2 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L CVE-2026-33570 PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions. View CVE Details Affected Products Subnet Solutions PowerSYSTEM Center Vendor: Subnet Solutions Inc. Product Version: Subnet Solutions Inc. PowerSYSTEM Center 2020: >=5.11.x|<=5.28.x Product Status: known_affected Remediations Mitigation Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. Mitigation For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at support@subnet.com. mailto:support@subnet.com Mitigation Subnet Solutions recommends users do the following in order to reduce risk: Monitor user activity records to ensure users are following acceptable usage policies of the application. Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. Configure a notification rule that triggers in any bulk account export activity. Relevant CWE: CWE-863 Incorrect Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.7 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2026-35555 PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups. View CVE Details Affected Products Subnet Solutions PowerSYSTEM Center Vendor: Subnet Solutions Inc. Product Version: Subnet Solutions Inc. PowerSYSTEM Center 2024: >=6.0.x|<=6.1.x, Subnet Solutions Inc. PowerSYSTEM Center 2026: 7.0.x Product Status: known_affected Remediations Mitigation Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. Mitigation For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at support@subnet.com. mailto:support@subnet.com Mitigation Subnet Solutions recommends users do the following in order to reduce risk: Monitor user activity records to ensure users are following acceptable usage policies of the application. Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. Configure a notification rule that triggers in any bulk account export activity. Relevant CWE: CWE-863 Incorrect Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L CVE-2026-35504 PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication. View CVE Details Affected Products Subnet Solutions PowerSYSTEM Center Vendor: Subnet Solutions Inc. Product Version: Subnet Solutions Inc. PowerSYSTEM Center 2020: <=5.28.x, Subnet Solutions Inc. PowerSYSTEM Center 2024: >=6.0.x|<=6.1.x, Subnet Solutions Inc. PowerSYSTEM Center 2026: 7.0.x Product Status: known_affected Remediations Mitigation Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. Mitigation For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at support@subnet.com. mailto:support@subnet.com Mitigation Subnet Solutions recommends users do the following in order to reduce risk: Monitor user activity records to ensure users are following acceptable usage policies of the application. Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. Configure a notification rule that triggers in any bulk account export activity. Relevant CWE: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Acknowledgments Kelly Stich of Subnet Solutions Inc reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Initial Publication Legal Notice and Terms of Use

Two U.S. nationals were sentenced to 18 months in prison each for operating so-called laptop farms that helped North Korean IT workers fraudulently obtain remote employment at nearly 70 American companies. [...]

The data breach at education tech giant Instructure includes students' private data, according to a sample of the allegedly stolen data seen by TechCrunch.

View CSAF Summary Successful exploitation of this vulnerability could allow a standard user to escalate privileges on the host machine. The following versions of Johnson Controls CEM AC2000 are affected: CEM AC2000 12.0 (CVE-2026-21661) CEM AC2000 11.0 (CVE-2026-21661) CEM AC2000 10.6 (CVE-2026-21661) CVSS Vendor Equipment Vulnerabilities v3 8.7 Johnson Controls Inc. Johnson Controls CEM AC2000 Uncontrolled Search Path Element Background Critical Infrastructure Sectors: Critical Manufacturing, Commercial Facilities, Government Services and Facilities, Transportation Systems, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Ireland Vulnerabilities Expand All + CVE-2026-21661 The affected product is vulnerable to DLL hijacking, which could allow an attacker to escalate standard user privileges on the host machine. View CVE Details Affected Products Johnson Controls CEM AC2000 Vendor: Johnson Controls Inc. Product Version: Johnson Controls Inc. CEM AC2000: 12.0, Johnson Controls Inc. CEM AC2000: 11.0, Johnson Controls Inc. CEM AC2000: 10.6 Product Status: known_affected Remediations Mitigation Johnson Controls recommends users apply the following mitigations: Mitigation Upgrade CEM AC 2000 12.0 to 12.0 Release 10. Mitigation Upgrade CEM AC 2000 11.0 to 11.0 Release 9. Mitigation Upgrade CEM AC 2000 10.6 to 10.6 Release 3. Mitigation For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory. https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories Relevant CWE: CWE-427 Uncontrolled Search Path Element Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.7 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L Acknowledgments Tom Hulme of CSACyber reported this vulnerability to Johnson Controls Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-05-05 Date Revision Summary 2026-05-05 1 Initial Republication of Johnson Controls product security advisory. Legal Notice and Terms of Use

Cargo theft is no longer about small groups of criminals operating on the ground, but transnational cybercriminal syndicates using access to supply chain systems to reroute goods.

Attackers are abusing two remote monitoring and management (RMM) tools to evade detection in a campaign that has impacted over 80 organizations so far.

The Amazon Simple Email Service (SES) is being increasingly abused, a cybersecurity company's telemetry data shows, to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. [...]

Fraudsters aren't hacking credit unions, they are exploiting normal business processes. Flare reveals how structured loan fraud methods use stolen identities to pass verification and secure funds. [...]

North Korean threat actors are pulling off historic cryptocurrency heists on a yearly, sometimes weekly basis now. AI might be helping them.

The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025. [...]

Prosecutors say Jeong Sang-ho’s “active deceptive acts” left nearly 2,800 investors frozen out of their funds, as South Korea's crackdown on the crypto industry widens.

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to remotely reboot the device or complete an unauthenticated query to reveal system configuration, including sensitive details. The following versions of ABB AWIN Gateways are affected: ABB AWIN Firmware (2.0-0) installed on ABB AWIN GW100 rev.2 2.0-0  ABB AWIN Firmware (2.0-1) installed on ABB AWIN GW100 rev.2 2.0-1  ABB AWIN Firmware (1.2-0) installed on ABB AWIN GW120 1.2-0  ABB AWIN Firmware (1.2-1) installed on ABB AWIN GW120 1.2-1  CVSS Vendor Equipment Vulnerabilities v3 8.3 ABB ABB AWIN Gateways Authentication Bypass by Capture-replay, Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-13777 An unauthenticated query reveals data. Authentication Bypass due to Improper Session Validation. View CVE Details Affected Products ABB AWIN Gateways Vendor: ABB Product Version: ABB ABB AWIN Firmware (2.0-0) installed on ABB AWIN GW100 rev.2: 2.0-0, ABB ABB AWIN Firmware (2.0-1) installed on ABB AWIN GW100 rev.2: 2.0-1, ABB ABB AWIN Firmware (1.2-0) installed on ABB AWIN GW120: 1.2-0, ABB ABB AWIN Firmware (1.2-1) installed on ABB AWIN GW120: 1.2-1 Product Status: known_affected Remediations Mitigation The following product versions have been fixed: ABB AWIN Firmware 2.1-0 installed on ABB AWIN GW100 rev. 2 (Product ID: 3BNP102988R1) are fixed versions for CVE-2025-13777 ABB AWIN Firmware2.0-0 installed on ABB AWIN GW120 (Product ID 3BNP103003R1) are fixed versions for CVE-2025-13777 Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://psirt.abb.com/csaf/2026/4jno000329.json Relevant CWE: CWE-294 Authentication Bypass by Capture-replay Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CVE-2025-13778 An unauthenticated query allows an attacker to remotely reboot the device, potentially causing a denial of service. View CVE Details Affected Products ABB AWIN Gateways Vendor: ABB Product Version: ABB ABB AWIN Firmware (2.0-0) installed on ABB AWIN GW100 rev.2: 2.0-0, ABB ABB AWIN Firmware (2.0-1) installed on ABB AWIN GW100 rev.2: 2.0-1, ABB ABB AWIN Firmware (1.2-0) installed on ABB AWIN GW120: 1.2-0, ABB ABB AWIN Firmware (1.2-1) installed on ABB AWIN GW120: 1.2-1 Product Status: known_affected Remediations Mitigation The following product versions have been fixed: ABB AWIN Firmware 2.1-0 installed on ABB AWIN GW100 rev. 2 (Product ID: 3BNP102988R1) are fixed versions for CVE-2025-13778 ABB AWIN Firmware2.0-0 installed on ABB AWIN GW120 (Product ID 3BNP103003R1) are fixed versions for CVE-2025-13778 Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://psirt.abb.com/csaf/2026/4jno000329.json Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-13779 An unauthenticated query reveals the system configuration, including sensitive details. View CVE Details Affected Products ABB AWIN Gateways Vendor: ABB Product Version: ABB ABB AWIN Firmware (2.0-0) installed on ABB AWIN GW100 rev.2: 2.0-0, ABB ABB AWIN Firmware (2.0-1) installed on ABB AWIN GW100 rev.2: 2.0-1, ABB ABB AWIN Firmware (1.2-0) installed on ABB AWIN GW120: 1.2-0, ABB ABB AWIN Firmware (1.2-1) installed on ABB AWIN GW120: 1.2-1 Product Status: known_affected Remediations Mitigation The following product versions have been fixed: ABB AWIN Firmware 2.1-0 installed on ABB AWIN GW100 rev. 2 (Product ID: 3BNP102988R1) are fixed versions for CVE-2025-13779 ABB AWIN Firmware2.0-0 installed on ABB AWIN GW120 (Product ID 3BNP103003R1) are fixed versions for CVE-2025-13779 Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://psirt.abb.com/csaf/2026/4jno000329.json Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H Acknowledgments Fred Alvarez reported these vulnerabilities to ABB Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. Revision History Initial Release Date: 2026-04-30 Date Revision Summary 2026-04-30 1 Initial Republication of ABB 4JNO000329 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to bypass user authentication on OPTIMAX installations that make use of the Azure Active Directory Single-Sign On integration. The following versions of ABB Ability OPTIMAX are affected: ABB Ability OPTIMAX 6.1 vers:all/*  ABB Ability OPTIMAX 6.2 vers:all/*  ABB Ability OPTIMAX 6.3 <6.3.1-251120  ABB Ability OPTIMAX 6.4 <6.4.1-251120  CVSS Vendor Equipment Vulnerabilities v3 8.1 ABB ABB Ability OPTIMAX Incorrect Implementation of Authentication Algorithm Background Critical Infrastructure Sectors: Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-14510 The vulnerability allows an attacker to bypass user authentication on OPTIMAX installations that make use of the Azure Active Directory Single-Sign On integration. View CVE Details Affected Products ABB Ability OPTIMAX Vendor: ABB Product Version: ABB ABB Ability OPTIMAX 6.1: vers:all/*, ABB ABB Ability OPTIMAX 6.2: vers:all/*, ABB ABB Ability OPTIMAX 6.3: <6.3.1-251120, ABB ABB Ability OPTIMAX 6.4: <6.4.1-251120 Product Status: known_affected Remediations Mitigation The following product versions have been fixed:  Ability OPTIMAX 6.3 6.3.1-251120 is a fixed version for CVE-2025-14510 Mitigation For more information see the associated ABB PSIRT security advisory 9AKK108472A1331 ABB CYBERSECURITY ADVISORY - PDF Version (https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF Version (https://psirt.abb.com/csaf/2026/9akk108472a1331.json). https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 9AKK108472A1331 ABB CYBERSECURITY ADVISORY - PDF Version (https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF Version (https://psirt.abb.com/csaf/2026/9akk108472a1331.json). https://psirt.abb.com/csaf/2026/9akk108472a1331.json Relevant CWE: CWE-303 Incorrect Implementation of Authentication Algorithm Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments ABB PSIRT reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity. Revision History Initial Release Date: 2026-04-30 Date Revision Summary 2026-04-30 1 Initial Republication of ABB PSIRT 9AKK108472A1331 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send specially crafted messages to the system node resulting in execution of arbitrary code. The following versions of ABB PCM600 are affected: PCM600 >=1.5|<=2.13  CVSS Vendor Equipment Vulnerabilities v3 4.4 ABB ABB PCM600 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2018-1002208 A vulnerability exists in the SharpZip.dll included in the product versions listed above. An attacker could exploit vulnerability by providing a specially crafted message to the system node, causing insertion, and running of arbitrary code. View CVE Details Affected Products ABB PCM600 Vendor: ABB Product Version: ABB PCM600: >=1.5|<=2.13 Product Status: known_affected Remediations Vendor fix The problem is corrected in the following product version: ABB Protection and control IED manager PCM600 version 2.14. ABB recommends that customers apply the update at earliest convenience. Vendor fix Note: RE_630 protection relays are not compatible with PCM600 version 2.14. When using earlier PCM600 versions with RE_630, the known vulnerability must be mitigated through system-level defenses. For mitigation guidance, refer to the General Security Recommendations. Vendor fix The following product versions have been fixed: Protection and Control IED manager PCM600 2.14 is a fixed version for CVE-2018-1002208 Mitigation For more information see the associated ABB PSIRT security advisory 2NGA002813 ABB CYBERSECURITY ADVISORY - PDF version (https://search.abb.com/library/Download.aspx?DocumentID=2NGA002813&LanguageCode=en&DocumentPartId=pdf&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF version (https://psirt.abb.com/csaf/2025/2nga002813.json). https://search.abb.com/library/Download.aspx?DocumentID=2NGA002813&LanguageCode=en&DocumentPartId=pdf&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 2NGA002813 ABB CYBERSECURITY ADVISORY - PDF version (https://search.abb.com/library/Download.aspx?DocumentID=2NGA002813&LanguageCode=en&DocumentPartId=pdf&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF version (https://psirt.abb.com/csaf/2025/2nga002813.json). https://psirt.abb.com/csaf/2025/2nga002813.json Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N Acknowledgments ABB PSIRT reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity. Revision History Initial Release Date: 2026-04-30 Date Revision Summary 2026-04-30 1 Initial Republication of ABB PSIRT 2NGA002813 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the system node allowing the attacker to install and run arbitrary code, uninstall applications, and modify the configuration of installed applications. The following versions of ABB Edgenius Management Portal are affected: Edgenius Management Portal 3.2.0.0|3.2.1.1 CVSS Vendor Equipment Vulnerabilities v3 9.6 ABB ABB Edgenius Management Portal Authentication Bypass Using an Alternate Path or Channel Background Critical Infrastructure Sectors: Critical Manufacturing, Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-10571 The Edgenius Management Portal in the affected product versions contains a vulnerability that allows authentication to be bypassed. An attacker could exploit the vulnerability by sending a specially crafted message to the system node allowing the attacker to install and run arbitrary code, uninstall in-stalled applications and modify the configuration of installed applications. View CVE Details Affected Products ABB Edgenius Management Portal Vendor: ABB Product Version: ABB Edgenius Management Portal: 3.2.0.0|3.2.1.1 Product Status: known_affected Remediations Vendor fix ABB has prepared an update to fix this vulnerability included in the latest Roll-Up, ABB Ability Edgenius version 3.2.2.0. ABB advises customers to upgrade as soon as possible. Until the upgrade is applied, ABB advises customers to disable the Edgenius Management Portal to mitigate the vulnerability. Vendor fix All affected products: Exploitation requires an attacker to have gained access to the network where Edgenius has been deployed, and while the Edgenius Management Portal is running. Refer to section "General security recommendations" for further advise on how to keep your system secure. Mitigation All affected products: Workarounds are specific measures that a user can take to help block an attack, for example, temporarily disabling the vulnerable feature may remove the exposure with well-known impact on functionality. ABB has tested the following workaround. Mitigation The following product versions have been fixed: Ability Edgenius 3.2.2.0 is a fixed version for CVE-2025-10571 Mitigation For more information see the associated ABB PSIRT security advisory 7PAA022088 ABB CYBERSECURITY ADVISORY - PDF version (https://search.abb.com/library/Download.aspx?DocumentID=7PAA022088&LanguageCode=en&DocumentPartId=&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF version (https://psirt.abb.com/csaf/2025/7paa022088.json). https://search.abb.com/library/Download.aspx?DocumentID=7PAA022088&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 7PAA022088 ABB CYBERSECURITY ADVISORY - PDF version (https://search.abb.com/library/Download.aspx?DocumentID=7PAA022088&LanguageCode=en&DocumentPartId=&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF version (https://psirt.abb.com/csaf/2025/7paa022088.json). https://psirt.abb.com/csaf/2025/7paa022088.json Relevant CWE: CWE-288 Authentication Bypass Using an Alternate Path or Channel Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.6 CRITICAL CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Acknowledgments ABB PSIRT reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-04-30 Date Revision Summary 2026-04-30 1 Initial Republication of ABB PSIRT 7PAA022088 Legal Notice and Terms of Use

A joint international operation involving U.S. and Chinese authorities arrested at least 276 suspects and shut down nine cryptocurrency investment fraud centers. [...]

In another police action, European police arrested 10 people and took down three scam centers, estimated to have stolen over $58 million from victims around the world.

Flaws in OpenEMR's platform — used by more than 100,000 healthcare providers — enabled database compromise, remote code execution, and data theft.

Mexico's first peso-denominated blockchain escrow goes live on SPEI for high-value P2P transactions.

Austrian and Albanian authorities dismantled a criminal ring accused of running a large-scale cryptocurrency investment fraud operation that caused estimated losses of over €50 million ($58.5 million) to victims worldwide. [...]

Ottawa says Bitcoin ATMs have become a key tool for scammers, as regulators move to tighten oversight of high-risk parts of the crypto sector.

The North Korean group is using stolen victim videos, AI-generated avatars, and fake Zoom calls to scale malware attacks against cryptocurrency executives.

Application security company Checkmarx has confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository. [...]

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information. The following versions of NSA GRASSMARLIN are affected: GRASSMARLIN vers:all/* CVSS Vendor Equipment Vulnerabilities v3 5.5 NSA NSA GRASSMARLIN Improper Restriction of XML External Entity Reference Background Critical Infrastructure Sectors: Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-6807 A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process. View CVE Details Affected Products NSA GRASSMARLIN Vendor: NSA Product Version: NSA GRASSMARLIN: vers:all/* Product Status: known_affected Remediations Vendor fix NSA has indicated that the GRASSMARLIN project has reached end-of-life status as of 2017 and is no longer supported. The project is archived, and no patches or further updates are planned or expected. Relevant CWE: CWE-611 Improper Restriction of XML External Entity Reference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Acknowledgments Grady DeRosa reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-28 Date Revision Summary 2026-04-28 1 Initial Publication Legal Notice and Terms of Use

People targeted by confidence schemes find getting help is a lonely road. Experts want law enforcement, financial, and government institutions to work together and protect them.

Some 29 people were charged, including a Cambodian senator, and authorities seized more than 500 Web domains tied to fake investment sites.

In the past six months, companies have seen a significant influx of AI-powered phishing, as cyberattackers progress from small campaigns to 1-to-1 personalized attacks.

Lazarus continues leveraging ClickFix for initial access and data theft: in this case, against Mac-centric organizations and their high-value leaders.

View CSAF Summary Successful exploitation of these vulnerabilities could crash the device being accessed or allow remote code execution. The following versions of Milesight Cameras are affected: MS-Cxx63-PD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx64-xPD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx73-xPD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx75-xxPD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx83-xPD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx74-PA <=3x.8.0.3-r11 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C8477-HPG1 <=63.8.0.4-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C8477-PC <=48.8.0.4-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C5321-FPE <=62.8.0.4-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx72-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx62-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx52-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-xxxGPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx61-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx67-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx71-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx41-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx76-PE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx65-PE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-xxxG1 <=63.8.0.5-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx62-xxxG1 <=63.8.0.5-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx72-xxxG1 <=63.8.0.5-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-CQxx31-xxxG1 <=CQ_63.8.0.5-r1 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-CQxx68-xxxG1 <=CQ_63.8.0.5-r1 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-CQxx72-xxxG1 <=CQ_63.8.0.5-r1 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-NxE <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxC <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxE <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxG <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxH <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxT <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) PMC8266-FPE <=PO_61.8.0.4_LPR (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) PMC8266-FGPE <=PO_61.8.0.4_LPR (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) PM3322-E <=PI_61.8.0.3_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RIPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5366-X12RIPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4RIPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RIVPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-RFIVPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4RIVPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-RFIVPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RIWG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4RIWG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5510-GVH <=T_47.8.0.4_LPR-r7 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5510-GH <=T_47.8.0.4_LPR-r6 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5511-GVH <=T_47.8.0.4_LPR-r6 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2966-X12TPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5366-X12PE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4PE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2966-X12TVPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RVPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5366-X12VPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4VPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4441-X36RPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4441-X36RE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RWE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4WE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2964-RFLPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2972-RFLPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2966-RFLWPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2866-X4TPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2866-X4TVPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2866-X4TGPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2841-X36TPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2841-X36TPC/W <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2867-X5TPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2961-X12TPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-FPC/P <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2966-X12RLPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2966-X12RLVPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C5366-X12LPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C5366-X12LVPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C5361-X12LPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-xxxxGOPC <=45.8.0.2-AIoT-r4 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) SC211 <=C_21.1.0.8-r4 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) SP111 <=52.8.0.4-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-RFIPKG1 <=63.8.0.4-r1-NX (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx72-RFIPKG1 <=63.8.0.4-r1-NX (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-FIPKG1 <=63.8.0.4-r1-NX (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx72-FIPKG1 <=63.8.0.4-r1-NX (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) CVSS Vendor Equipment Vulnerabilities v3 9.8 Milesight Milesight Cameras Authorization Bypass Through User-Controlled Key, Use of Hard-coded Credentials, Use of Hard-coded Cryptographic Key, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Heap-based Buffer Overflow Background Critical Infrastructure Sectors: Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: China Vulnerabilities Expand All + CVE-2026-28747 A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions : Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC : 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-639 Authorization Bypass Through User-Controlled Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-27785 Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions : Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC : 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-798 Use of Hard-coded Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-32644 Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions : Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC : 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-321 Use of Hard-coded Cryptographic Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-32649 A command injection vulnerability exists in the web server of specific firmware versions of Milesight cameras. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions : Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC : 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2026-20766 An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC: 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Acknowledgments Souvik Kandar reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

Defending against china-nexus covert networks of compromised devices executive summary Defending against China-nexus covert networks of compromised devices  Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it  Summary With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners:  Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre) Germany Federal Office for the Protection of the Constitution -   Bundesamt für Verfassungsschutz (BfV) Germany Federal Intelligence Service – Bundesnachrichtendienst (BND) Germany Federal Office for Information Security - Bundesamt für Sicherheit in der Informationstechnik (BSI) Japan National Cybersecurity Office (NCO) - 国家サイバー統括室 Netherlands General Intelligence and Security Service - Algemene Inlichtingen- en Veiligheidsdienst (AIVD) Netherlands Defence Intelligence and Security Service - Militaire Inlichtingen- en Veiligheidsdienst (MIVD) New Zealand National Cyber Security Centre (NCSC-NZ) Spain National Cryptologic Centre – Centro Criptológico Nacional (CCN) Sweden National Cyber Security Centre - Nationellt cybersäkerhetscenter (NCSC-SE) United States Cybersecurity and Infrastructure Security Agency (CISA) United States Department of Defense Cyber Crime Center (DC3) United States Federal Bureau of Investigation (FBI) United States National Security Agency (NSA)  Its purpose is to provide network defenders with the tools needed to defend against China-nexus cyber actors and their tactic of using large scale networks of compromised devices (covert networks) to route their cyber activity.  Introduction   Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices.  The NCSC believes that the majority of China-nexus threat actors are using these networks (hereafter “covert networks”), that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices.  Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks. They have been used by Chinese state-sponsored actors Volt Typhoon to pre-position offensive cyber capabilities on critical national infrastructure. The group Flax Typhoon used a different covert network of compromised infrastructure to conduct cyber espionage.  The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale.   This advisory describes the typical makeup of a covert network and what they are being used for. It also includes protective advice for organizations being targeted by cyber activity using a covert network as an access vector. Covert Networks  Covert networks are used to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity. Actors have been observed using them for each phase of their Cyber Kill Chains, from performing scans as part of reconnaissance, to the delivery of malware, communicating with said malware, and exfiltrating stolen data from a victim. They can also be used for general deniable internet browsing, allowing threat actors to research exploitation techniques, new TTPs, and their victims without attribution. Some covert networks are also used by legitimate customers to browse the internet, making it challenging to attribute malicious activity.  There is evidence that covert networks used by China-nexus actors are created and maintained by Chinese information security companies. A network known to network defenders as Raptor Train, which in 2024 infected more than 200,000 devices worldwide, was controlled and managed by the Chinese company, Integrity Technology Group. This company was also assessed by the FBI to be responsible for the computer intrusion activities attributed to China-based hackers known as Flax Typhoon.  Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks – NCSC Director of Operations, Paul Chichester  Covert networks mostly consist of compromised SOHO routers, but they also pull in any vulnerable device they can exploit at scale. Raptor Train was made up of thousands of SOHO routers and IoT devices, such as web cameras and video recorders, as well as firewalls and Network Attached Storage (NAS) devices. The KV Botnet used by Volt Typhoon was mainly made up of vulnerable Cisco and NetGear routers. The edge devices were vulnerable because they were “end of life” – out of date and no longer receiving updates or security patches by their manufacturers.  The cyber security industry has been aware of examples of these networks for some time and has publicly reported on the widespread scale of the threat and its implications. Mandiant Intelligence produced a public blog in May 2024 talking about covert networks in which they highlighted a key issue for defenders – indicator of compromise (IOC) Extinction. If a particular threat group could now come from one of many covert networks, each with potentially hundreds of thousands of endpoints, and each used by multiple threat actors, old network defense paradigms of static malicious IP block lists will be less effective. This is compounded by the dynamic nature of these networks where new nodes will be added as old devices are patched or removed from use.  Typical Network Topology The number of covert networks used by China-nexus cyber actors is large, with new networks regularly developed and deployed. The existing covert networks change too, either because of defensive or legal action, or simply as a result of software updates and new exploits being used to target different technologies for incorporation into the network.  Because of this, a description of all known covert networks in detail, including how they are constructed and how they communicate, would immediately be out of date – and for most network defenders would not be practically useful.  However, most covert networks of compromised devices use the same basic set up. Understanding this generalized structure can aid researchers and defenders by helping them to understand which part of a network they may have found, and how to defend against it.  A diagram illustrating the basic setup of a covert network. The diagram above illustrates the basic setup of a covert network, where typically an actor will connect to the network via an on-ramp or entry node. Their traffic will be forwarded through multiple compromised devices, used as traversal nodes, before exiting the network from an exit node, usually in the same geographic region as the target.  Protective Advice  Defending from attackers using covert networks is not straightforward, and defensive tactics will be different based on the levels of resource and the nature of the target organization. General advice for good cyber security practice should be followed, and some key messages can be found in the appendix of this advisory.   The following advice is specifically tailored to steps which can be taken to combat the risk of attacks coming from large, dynamic networks of compromised devices.  Further guidance for all organizations facing cyber security threats is available on the NCSC website.  This guidance should be considered alongside all applicable laws and regulations of the UK and co-sealing countries relating to the security of networks and data. It will be each organization’s responsibility to ensure compliance with any such laws and regulations. Organizations should note that following the recommended actions set out below will not remove all risks. All organizations The NCSC recommends the following steps for all affected organizations to either take themselves, or ask their managed service and/or security providers to investigate for them:  Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connecting to them. Baseline normal connections, especially to corporate virtual private networks (VPNs) or other similar services. Would you expect connections from consumer broadband ranges? Leverage available dynamic threat feeds which include covert network infrastructure. Implement multifactor authentication for remote connections. Smaller organizations should consider creating and actioning a free NCSC Cyber Action Toolkit.  Larger or more at-risk organizations Some more comprehensive measures may be appropriate if the risk to an organization is high enough, to be conducted either in-house or through a security provider:   Apply IP address allow lists rather than deny lists for connections to corporate VPNs for remote workers. Use geographic allow lists or profile incoming connections based on operating system, time zones, and/or organization specific system configuration settings. Implement zero trust policies for connections. Enforce machine certificates for Secure Sockets Layer (SSL) connections. Reduce the internet-facing presence of the IT estate. Investigate machine learning techniques to profile normal network edge activity to detect and block anomalies.  The NCSC's Cyber Essentials can help protect organizations of all sizes.  Largest or most at-risk organizations  If Advanced Persistent Threat (APT) tracking is part of an organization’s in-house capability, or if it is part of the service provided by a security vendor, consider tracking China-nexus covert networks as APTs in their own right. Active hunting – look for connections from IP addresses likely to be part of a covert network of compromised devices, for instance those hosting SOHO routers or IoT devices. Track and map covert networks reported by industry or government by looking at banners and certificates. Use threat reporting and threat feeds to create and implement dynamic blocklists and create alert rules to detect incoming threats. Consider using NetFlow feeds to look upstream and map covert networks to find new nodes.  The NCSC Cyber Assessment Framework provides guidance for organizations under the highest levels of threat, including those operating essential services, in sectors such as energy, healthcare, transport, digital infrastructure and government.   MITRE ATT&CK®  This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.  Tactic  ID  Technique  Procedure  Resource Development  T1584.005  Compromise Infrastructure: Botnet  Botnets are used as core components of covert networks  Resource Development  T1584.008  Compromise Infrastructure: Network Devices  Devices are compromised and added to botnets  Resource Development  T1583.003  Acquire Infrastructure: Virtual Private Server  Virtual private servers (VPS) are used in covert networks, typically as on-ramps  Command and Control  T1090.003  Proxy: Multi-hop Proxy  Used by China-nexus cyber actors to route traffic   Appendix: Cyber Security Best Practices  In addition to the protective advice outlined in this advisory, a number of cyber security best practices will also be useful in defending against the activity described in this advisory.  Protect your devices and networks by keeping them up to date: use the latest supported versions, apply security updates promptly, use antivirus and scan regularly to guard against known malware threats. See NCSC Guidance: https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/antivirus-and-other-security-software Prevent and detect lateral movement in your organization’s networks. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement Implement architectural controls for network segregation. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/10-steps-network-security Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes and https://www.ncsc.gov.uk/information/logging-made-easy Use modern systems and software. These have better security built-in. If you cannot move off out-of-date platforms and applications straight away, there are short term steps you can take to improve your position. See NCSC Guidance:  https://www.ncsc.gov.uk/collection/mobile-device-guidance/managing-the-risks-from-obsolete-products Restrict intruders' ability to move freely around your systems and networks. Pay particular attention to potentially vulnerable entry points such as third-party systems with onward access to your core network. During an incident, disable remote access from third-party systems until you are sure they are clean. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement and https://www.ncsc.gov.uk/guidance/assessing-supply-chain-security. Deploy a host-based intrusion detection system. A variety of products are available, free and paid-for, to suit different needs and budgets. Further information: Invest in preventing malware-based attacks across various scenarios.  See NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks  Disclaimer   This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by co-sealers. UK readers should refer to the NCSC website for information about NCSC assured services.  This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.   Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk.   All material is UK Crown Copyright ©

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information. The following versions of SpiceJet Online Booking System are affected: Online Booking System vers:all/* (CVE-2026-6375, CVE-2026-6376) CVSS Vendor Equipment Vulnerabilities v3 7.5 SpiceJet SpiceJet Online Booking System Authorization Bypass Through User-Controlled Key, Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: India Vulnerabilities Expand All + CVE-2026-6375 A vulnerability in SpiceJet's booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access. View CVE Details Affected Products SpiceJet Online Booking System Vendor: SpiceJet Product Version: SpiceJet Online Booking System: vers:all/* Product Status: known_affected Remediations Mitigation SpiceJet did not respond to CISA's requests to coordinate. Users are encouraged to reach out to SpiceJet for more information: https://corporate.spicejet.com/contactus.aspx https://corporate.spicejet.com/contactus.aspx Relevant CWE: CWE-639 Authorization Bypass Through User-Controlled Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-6376 A weakness in SpiceJet's public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function. View CVE Details Affected Products SpiceJet Online Booking System Vendor: SpiceJet Product Version: SpiceJet Online Booking System: vers:all/* Product Status: known_affected Remediations Mitigation SpiceJet did not respond to CISA's requests to coordinate. Users are encouraged to reach out to SpiceJet for more information: https://corporate.spicejet.com/contactus.aspx https://corporate.spicejet.com/contactus.aspx Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Acknowledgments Owais Shaikh reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could result in an attacker being able to unlock and start the bicycle, leading to vehicle theft. The following versions of Yadea T5 Electric Bicycle are affected: T5 Electric Bicycle vers:all/* (CVE-2025-70994) CVSS Vendor Equipment Vulnerabilities v3 7.3 Yadea Yadea T5 Electric Bicycle Weak Authentication Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: China Vulnerabilities Expand All + CVE-2025-70994 Yadea T5 Electric Bicycles have a weak authentication mechanism which is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmissions. View CVE Details Affected Products Yadea T5 Electric Bicycle Vendor: Yadea Product Version: Yadea T5 Electric Bicycle: vers:all/* Product Status: known_affected Remediations Mitigation Yadea did not respond to CISA's attempts at coordination. Users of Yadea T5 Electric Bicycles are encouraged to keep their systems up to date and lock their property securely with external mechanisms. Users can contact Yadea at https://yadea.com/contact-us. https://yadea.com/contact-us Relevant CWE: CWE-1390 Weak Authentication Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Acknowledgments Ashen Chathuranga reported this vulnerability to MITRE and CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to bypass authentication and have remote access to sensitive information on the device. The following versions of Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera are affected: IP Camera XM530V200_X6-WEQ_8M firmware V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06 (CVE-2025-65856) CVSS Vendor Equipment Vulnerabilities v3 9.8 Hangzhou Xiongmai Technology Co., Ltd Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: China Vulnerabilities Expand All + CVE-2025-65856 Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access. View CVE Details Affected Products Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera Vendor: Hangzhou Xiongmai Technology Co., Ltd Product Version: Hangzhou Xiongmai Technology Co., Ltd IP Camera XM530V200_X6-WEQ_8M firmware: V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06 Product Status: known_affected Remediations Mitigation Hangzhou Xiongmai Technology Co., Ltd has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of XM530 IP cameras are invited to contact Xiongmai Technology customer support for additional information (https://www.xiongmaitech.com/en/index.php/about/contact/42). https://www.xiongmaitech.com/en/index.php/about/contact/42 Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments CISA discovered a public Proof of Concept (PoC) as authored by Luis Miranda Acebedo and reported it to MITRE Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to read, modify, or delete files. The following versions of Intrado 911 Emergency Gateway (EGW) are affected: Emergency Gateway 7.x (CVE-2026-6074) Emergency Gateway 6.x (CVE-2026-6074) Emergency Gateway 5.x (CVE-2026-6074) CVSS Vendor Equipment Vulnerabilities v3 9.8 Intrado Intrado 911 Emergency Gateway (EGW) Path Traversal: '.../...//' Background Critical Infrastructure Sectors: Emergency Services Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-6074 A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful exploitation of this vulnerability could allow a user to read, modify, or delete files. View CVE Details Affected Products Intrado 911 Emergency Gateway (EGW) Vendor: Intrado Product Version: Intrado Emergency Gateway: 7.x, Intrado Emergency Gateway: 6.x, Intrado Emergency Gateway: 5.x Product Status: known_affected Remediations Mitigation Intrado developed and released a software update on March 2nd, 2026, that addresses this issue and has contacted customers to coordinate applying the patch. Mitigation If you have questions, contact Intrado E911 Support: E911Support@intrado.com mailto:E911Support@intrado.com Relevant CWE: CWE-35 Path Traversal: '.../...//' Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments An anonymous source reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

CertiK has urged crypto users not to overlook basic security practices as major crypto hacks spiked in April.

A compromised developer's repository serves as a worm-like infection vector to spread remote access Trojans (RATs) and other malware.

Fraud operations now operate like call centers, complete with hiring, training, and performance tracking. Flare reveals how cybercriminals manage "Caller-as-a-Service" operations like a professional sales team. [...]

DPRK-linked crypto theft topped $578M in April after the Kelp DAO exploit, as attacks continue to expand across protocols, companies and end users.

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

Fraud prevention and user experience don't have to be a tradeoff. IPQS shows how combining identity, device, and network signals stops fraud without adding friction. [...]

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service, or configuration information may be altered without authentication. The following versions of Silex Technology SD-330AC and AMC Manager are affected: SD-330AC <=1.42 (CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, CVE-2026-32958, CVE-2015-5621, CVE-2026-32959, CVE-2026-32960, CVE-2026-32961, CVE-2026-32962, CVE-2024-24487, CVE-2026-32963, CVE-2026-32964, CVE-2026-32965) AMC Manager <=5.0.2 (CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, CVE-2026-32958, CVE-2015-5621, CVE-2026-32959, CVE-2026-32960, CVE-2026-32961, CVE-2026-32962, CVE-2024-24487, CVE-2026-32963, CVE-2026-32964, CVE-2026-32965) CVSS Vendor Equipment Vulnerabilities v3 9.8 Silex Technology Silex Technology SD-330AC and AMC Manager Stack-based Buffer Overflow, Heap-based Buffer Overflow, Missing Authentication for Critical Function, Use of Hard-coded Cryptographic Key, Dependency on Vulnerable Third-Party Component, Use of a Broken or Risky Cryptographic Algorithm, Sensitive Information in Resource Not Removed Before Reuse, Incorrect Privilege Assignment, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of CRLF Sequences ('CRLF Injection'), Initialization of a Resource with an Insecure Default Background Critical Infrastructure Sectors: Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: Japan Vulnerabilities Expand All + CVE-2026-32955 A Stack-based Buffer Overflow vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to execute arbitrary code on the device. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963: Disable HTTP/HTTPS service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-32956 A Heap-based Buffer Overflow vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to execute arbitrary code on the device. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963: Disable HTTP/HTTPS service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-32957 A Missing Authentication for Critical Function vulnerability in Silex Technology SD-330AC and AMC Manager could allow uploads of arbitrary files to the device without authentication. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963: Disable HTTP/HTTPS service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-32958 A Use of Hard-coded Cryptographic Key vulnerability in Silex Technology SD-330AC and AMC Manager could cause an administrative user to be directed to apply a fake firmware update. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32958 and CVE-2026-32965: Set a password for the settings web interface. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-321 Use of Hard-coded Cryptographic Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2015-5621 The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash). View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2015-5621: Disable SNMP service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-1395 Dependency on Vulnerable Third-Party Component Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-32959 A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to retrieve information via a man-in-the-middle attack. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-32960 A Sensitive Information in Resource Not Removed Before Reuse vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to send specially crafted packets that may allow the attacker to login to the device. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-226 Sensitive Information in Resource Not Removed Before Reuse Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2026-32961 A Heap-based Buffer Overflow vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to send specially crafted packets that may cause a temporary denial-of-service (DoS) condition. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-32962 A Missing Authentication for Critical Function vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to alter the device configuration without authentication. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-24487 An issue discovered in Silex Technology DS-600 Firmware v.1.4.1 allows a remote attacker to cause a denial of service via crafted UDP packets using the EXEC REBOOT SYSTEM command. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-266 Incorrect Privilege Assignment Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H CVE-2026-32963 An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to trick a user into accessing a special web page and execute arbitrary script on the user's browser. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963: Disable HTTP/HTTPS service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2026-32964 An Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to inject arbitrary entries into the system configuration. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVE-2026-32965 An Initialization of a Resource with an Insecure Default vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker using the factory default configuration to configure the device using the null string password. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32958 and CVE-2026-32965: Set a password for the settings web interface. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-1188 Initialization of a Resource with an Insecure Default Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Acknowledgments Francesco La Spina of Forescout Technologies reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-21 Date Revision Summary 2026-04-21 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to take complete control of the device. The following versions of SenseLive X3050 are affected: X3050 V1.523 (CVE-2026-40630, CVE-2026-25720, CVE-2026-35503, CVE-2026-39462, CVE-2026-27843, CVE-2026-40431, CVE-2026-40623, CVE-2026-27841, CVE-2026-40620, CVE-2026-35064, CVE-2026-25775) CVSS Vendor Equipment Vulnerabilities v3 9.8 SenseLive SenseLive X3050 Authentication Bypass Using an Alternate Path or Channel, Insufficient Session Expiration, Use of Hard-coded Credentials, Insufficiently Protected Credentials, Missing Authentication for Critical Function, Cleartext Transmission of Sensitive Information, Missing Authorization, Cross-Site Request Forgery (CSRF) Background Critical Infrastructure Sectors: Critical Manufacturing, Water and Wastewater, Energy, Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: India Vulnerabilities Expand All + CVE-2026-40630 A vulnerability in the X3050's web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact with sensitive configuration functions. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-288 Authentication Bypass Using an Alternate Path or Channel Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-25720 A vulnerability exists in the X3050's web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-613 Insufficient Session Expiration Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2026-35503 A vulnerability in the X3050's web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these exposed parameters and gain unauthorized access to administrative functionality. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-798 Use of Hard-coded Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-39462 A vulnerability exists in the X3050's web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device undergoes a factory restore using the SenseLive Config 2.0 tool, the interface may indicate that the password update was successful; however, the system may continue to accept the previous or default credentials, demonstrating that the password-change process is not consistently enforced. Even after a factory reset, attempted password changes may fail to propagate correctly. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-522 Insufficiently Protected Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-27843 A vulnerability exists in the X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network settings, an attacker can induce a persistent lockout state. Because the device lacks a physical reset button, recovery requires specialized technical access via the console to perform a factory reset, resulting in a total denial-of-service for the gateway and its connected RS-485 downstream systems. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2026-40431 A vulnerability exists in the X3050's web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is transmitted in cleartext, an attacker with access to the same network segment could intercept or observe sensitive operational information. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-40623 A vulnerability in the X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive functions, parameters such as IP addressing, watchdog timers, reconnect intervals, and service ports can be set to unsupported or unsafe values. These configuration changes directly affect core device behaviour and recovery mechanisms. The lack of proper validation and safeguards allows critical system functions to be altered in a manner that can destabilize device operation or render the device persistently unavailable. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-862 Missing Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2026-27841 A vulnerability in the X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious external webpage could cause a user's browser to submit unauthorized configuration requests to the device. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-352 Cross-Site Request Forgery (CSRF) Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVE-2026-40620 A vulnerability in the X3050's embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-35064 A vulnerability in the X3050's management ecosystem allows unauthenticated discovery of deployed units through the vendor's management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials. Because discovery functions are exposed by the underlying service rather than gated by authentication, an attacker on the same network segment can rapidly enumerate targeted devices. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-25775 A vulnerability in X3050's remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments Jithin Nambiar J reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-21 Date Revision Summary 2026-04-21 1 Initial Publication Legal Notice and Terms of Use

Stolen OAuth tokens, which are at the root of these breaches, "are the new attack surface, the new lateral movement," a researcher notes.

Deezer says consumption of AI-generated music on the platform is still very low, between 1-3% of the total streams, and that 85% of these streams are detected as fraudulent and are demonetized.

Vercel blamed its breach on an earlier hack at Context AI, which allowed hackers to hijack a Vercel employee's account to steal customer data.

A British man, believed to be the leader of the Scattered Spider cybercrime collective, has pleaded guilty in the United States to charges of wire fraud and aggravated identity theft. [...]

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.  On March 31, 2026, two npm packages for versions axios@1.14.1 and axios@0.30.4 of Axios npm injected the malicious dependency plain-crypto-js@4.2.1 that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan.2 CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise:  Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran npm install or npm update with the compromised Axios version. Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases. If compromised dependencies are identified, revert the environment to a known safe state.  Downgrade to axios@1.14.0 or axios@0.30.3 and delete node_modules/plain-crypto-js/. Rotate/revoke credentials that may have been exposed on affected systems or pipelines (e.g., version control system [VCS] tokens, CI/CD secrets, cloud keys, npm tokens, and Secure Shell [SSH] keys). For ephemeral CI jobs, rotate all secrets injected into the compromised run. Monitor for unexpected child processes and anomalous network behavior, specifically during npm install or npm update. Block and monitor outbound connections to Sfrclak[.]com domains. Conduct continuous indicator searches and endpoint detection and response (EDR) hunts to confirm no indicators of compromise (IOCs) remain; ensure no further egress to the command and control (C2). In addition, CISA recommends organizations using Axios npm: Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms. Set ignore-scripts=true in the .npmrc configuration file, which prevents potentially malicious scripts from executing during npm install packages. Set min-release-age=7 in the .npmrc configuration file to only install packages that have been published for at least seven days, which helps avoid installation of packages that may not be completely vetted or are potentially malicious. Establish and maintain a baseline of normal execution behavior for tools that use Axios. Alert when a dependency behaves differently (e.g., building containers, enabling shells, executing commands) and trace outbound network activity for anomalous connections. See the following resources for additional guidance on this compromise:  GitHub: Post Mortem: axios npm supply chain compromise #10636 Microsoft: Mitigating the Axios npm supply chain compromise StepSecurity: axios Compromised on npm - Malicious Versions Drop Remote Access Trojan npm Docs: Securing your code Socket: Supply Chain Attack on Axios Pulls Malicious Dependency from npm Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. Notes 1 “Post Mortem: axios npm supply chain compromise,” axios GitHub, Issue #10636, March 31, 2026, https://github.com/axios/axios/issues/10636. 2 “Mitigating the Axios npm supply chain compromise,” Microsoft Threat Intelligence and Microsoft Defender Security Research Team, April 1, 2026, https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/.

Cloud development platform Vercel has disclosed a security incident after threat actors claimed to have breached its systems and are attempting to sell stolen data. [...]

Apple account change notifications are being abused to send fake iPhone purchase phishing scams within legitimate emails sent from Apple's servers, increasing legitimacy and potentially allowing them to bypass spam filters. [...]

The SEC has sued crypto executive Donald Basile over an alleged $16 million scheme involving false claims about an “insured” Bitcoin Latinum token.

Nicholas Moore hacked into three U.S. government networks using stolen credentials, and then bragged about it and posted victims' personal data on Instagram under the handle @ihackedthegovernment.

In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow.

In cybercrime markets, trust isn't assumed, it's verified. Flare reveals how underground guides teach actors to evaluate carding shops based on data quality, reputation, and survivability. [...]

Cyberattacks are evolving faster than many MSP and corporate defenses can keep up, with phishing driving much of today's cybercrime. Join our upcoming webinar to learn how to combine security and recovery strategies to reduce risk and maintain business continuity. [...]

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. The following versions of Delta Electronics ASDA-Soft are affected: ASDA-Soft <=V7.2.2.0 CVSS Vendor Equipment Vulnerabilities v3 7.8 Delta Electronics Delta Electronics ASDA-Soft Stack-based Buffer Overflow Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Taiwan Vulnerabilities Expand All + CVE-2026-5726 A stack-based buffer overflow vulnerability is triggered in ASDA-Soft version 7.2.0.0 during the parsing of malformed .par files. View CVE Details Affected Products Delta Electronics ASDA-Soft Vendor: Delta Electronics Product Version: Delta Electronics ASDA-Soft: <=V7.2.2.0 Product Status: known_affected Remediations Vendor fix Delta Electronics recommends users download and upgrade ASDA-Soft to v7.2.6.0 or later. If you have any product-related support concerns, contact Delta via the portal page at https://www.deltaww.com/en-US/service-support/contact-us?type=1 for any information or materials you may require. https://www.deltaww.com/en-US/service-support/contact-us?type=1 Mitigation Delta Electronics provides the following general recommendations: Do not click on untrusted internet links or open unsolicited attachments in emails. Avoid exposing control systems and equipment to the Internet. Place control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use a secure access method, such as a virtual private network (VPN). Mitigation For more information, see Delta Electronics advisory Delta-PCSA-2026-00007 athttps://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00007_ASDA-Soft%20Stack-based%20Buffer%20Overflow%20Vulnerability%20(CVE-2026-5726).pdf https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00007_ASDA-Soft%20Stack-based%20Buffer%20Overflow%20Vulnerability%20(CVE-2026-5726).pdf Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Acknowledgments Feng Xiong of TrendAI Zero Day Initiative reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-04-16 Date Revision Summary 2026-04-16 1 Initial Publication Legal Notice and Terms of Use

Elastic Security Labs says a multi-step social engineering scam is aimed at those in crypto and finance, using a community plugin feature on a note-taking app to spread malicious device-controlling software.

Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection (.rdp) files, adding warnings and disabling risky shared resources by default. [...]

More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. [...]

Freecash was removed from Apple's App Store after TechCrunch reached out for comment.

A Fake Ledger Live app on Apple’s store is tied to $9.5 million in crypto thefts, as ZachXBT links over 50 victims’ funds to a KuCoin-linked mixer and questions Apple’s liability.

Stolen credentials remain a top breach vector, often leading to unchecked privilege escalation. Specops explains how identity-first Zero Trust limits access, enforces device trust, and blocks lateral movement. [...]

Rockstar Games has suffered a data breach linked to a recent security incident at Anodot, with the ShinyHunters extortion gang now leaking the stolen data on its data leak site. [...]

The FBI Atlanta Field Office and Indonesian authorities have dismantled the "W3LL" global phishing platform, seizing infrastructure and arresting the alleged developer in what is described as the first coordinated enforcement action between the United States and Indonesia targeting a phishing kit developer. [...]

Democratic lawmakers and crypto investors characterized crypto projects launched by or tied to Trump as scams and political corruption.

An international law enforcement action led by the U.K.'s National Crime Agency (NCA) has identified over 20,000 victims of cryptocurrency fraud across Canada, the United Kingdom, and the United States. [...]

A new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan. [...]

Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called "VENOM" are targeting credentials of C-suite executives across multiple industries. [...]

Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies. [...]

Stolen credentials turn authentication systems into the attack surface. Token shows how wearable biometric authentication verifies the user—not the session—blocking phishing relays and MFA bypass. [...]

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to enumerate the functionality of each component associated with the PLC, reconfigure, rename, delete, perform file transfers, and make remote procedure calls. The following versions of Contemporary Controls BASC 20T are affected: BASControl20 3.1 (CVE-2025-13926) CVSS Vendor Equipment Vulnerabilities v3 9.8 Contemporary Controls Sedona Alliance Contemporary Controls BASC 20T Reliance on Untrusted Inputs in a Security Decision Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2025-13926 An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T. View CVE Details Affected Products Contemporary Controls BASC 20T Vendor: Contemporary Controls Sedona Alliance Product Version: Contemporary Controls Sedona Alliance BASControl20: 3.1 Product Status: known_affected Remediations Mitigation According to Contemporary Controls, the BASC-20T is an obsolete product. It is recommended that users of the affected product contact Contemporary Controls for additional information. https://www.ccontrols.com/support/contacttech.htm Relevant CWE: CWE-807 Reliance on Untrusted Inputs in a Security Decision Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments Joseph Fields of Naval Information Warfare Center Pacific reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-09 Date Revision Summary 2026-04-09 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow a low privileged remote attacker to manipulate register values, which would result in too much or too little odorant being injected into a gas line. The following versions of GPL Odorizers GPL750 are affected: GPL750 (XL4) >=v1.0| GPL750 (XL4 Prime) >=v4.0| GPL750 (XL7) >=v13.0| GPL750 (XL7 Prime) >=v18.4| CVSS Vendor Equipment Vulnerabilities v3 8.6 GPL Odorizers GPL Odorizers GPL750 Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-4436 A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line. View CVE Details Affected Products GPL Odorizers GPL750 Vendor: GPL Odorizers Product Version: GPL Odorizers GPL750 (XL4): >=v1.0|<v6.0, GPL Odorizers GPL750 (XL4 Prime): >=v4.0|<v6.0, GPL Odorizers GPL750 (XL7): >=v13.0|<v20.0, GPL Odorizers GPL750 (XL7 Prime): >=v18.4|<v20.0 Product Status: known_affected Remediations Mitigation GPL Odorizers recommends users update to the latest software version of the GPL750 in connection with the latest firmware from Horner Automation for the XL4, XL4 Prime, XL7, and XL7 Prime devices.https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm. https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm Mitigation GPL Odorizers recommends users clear the old files from their microSD cards, keeping only the LOGS folder and the FIRMWARE.LIC file if they have a WebMI license. The compressed folder downloaded from the link above can then be extracted to the root directory of the microSD card. These files already include the corresponding firmware update. If users do not have IT permissions to access their microSD cards, GPL Odorizers can provide preconfigured SD cards that technicians can simply swap into their odorizers prior to installation. Mitigation For assistance in updating GPL Odorizers to the latest version, users should reach out to GPL Odorizers directly via phone number (303) 697-6701 during the hours of 8:00 a.m. to 4:00 p.m. MST. Mitigation Horner Automation offers firmware version 15.76 for their XL Series and version 17.30 for their XL Prime Series controllers https://hornerautomation.com/controller-firmware/. An installation guide is available for both the XL series and the XL Prime series. https://hornerautomation.com/controller-firmware/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Acknowledgments An anonymous researcher reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-09 Date Revision Summary 2026-04-09 1 Initial Publication Legal Notice and Terms of Use

Cyber-fraudsters move quickly from compromised devices to account takeover to funds transfer, shifting money before many financial institutions can react.

Operation Atlantic is a cross-border law enforcement effort to detect and disrupt crypto scams in real time, targeting approval phishing before funds are fully drained.

Advisory at a Glance Title Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure Original Publication April 7, 2026 Executive Summary Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.  U.S. organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section of this advisory to reduce the risk of compromise. Affected Products Rockwell Automation/Allen-Bradley manufactured PLCs Potentially other branded PLCs Key Actions Remove PLCs from direct internet exposure via secure gateway and firewall. Query available logs for the provided IOCs in the corresponding time frames. Check available logs for suspicious traffic on the ports associated with OT devices, including 44818, 2222, 102, and 502, especially traffic originating from overseas hosting providers. For Rockwell Automation devices, place the physical mode switch on the controller into run position. Contact the authoring agencies and Rockwell Automation for guidance if you believe your organization was targeted. Indicators of Compromise For a downloadable copy of IOCs, see: AA26-097A STIX XML (35KB) AA26-097A STIX JSON (12 KB)   Intended Audience Organizations: Critical Infrastructure Sectors: Government Services and Facilities, Water and Wastewater Systems (WWS), and Energy  Roles: Defensive cybersecurity analysts, OT cybersecurity engineers, cybersecurity architects, secure systems developer Introduction The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command – Cyber National Mission Force (CNMF), hereafter referred to as the “authoring agencies,” are urgently warning U.S. organizations of ongoing cyber exploitation of internet-connected operational technology (OT) devices, including Rockwell Automation/Allen-Bradley-manufactured programmable logic controllers (PLCs), across multiple U.S. critical infrastructure sectors. As a result of this activity, organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with the project files1 and the manipulation of data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays. In a few cases, this activity has resulted in operational disruption and financial loss.  Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend U.S. organizations urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section to reduce the risk of compromise. The authoring agencies assess a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the United States. The group has targeted devices spanning multiple U.S. critical infrastructure sectors, including Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS), and Energy Sectors. The authoring agencies previously reported on similar activity targeting PLCs by CyberAv3ngers (aka Shahid Kaveh Group)—a cyber threat actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC).  If owners and operators discover an affected internet-accessible device in their environment, additional technical measures may be necessary to evaluate the risk of compromise. Please contact the authoring agencies and applicable vendors through existing support channels available to customers and integrators (see Contact Information) to receive support, mitigation, and investigation assistance, and engage your cyber incident response plans. In addition to contacting the authoring agencies, organizations with Rockwell Automation/Allen-Bradley-manufactured PLCs should review the manufacturer’s previously issued guidance to strengthen the security of their operational technology deployments: PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers, published in 2021, and SD1771 | Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats, published in 2026. Contact the Rockwell Automation Product Security Incident Response Team (PSIRT) at PSIRT@rockwellautomation.com for questions regarding this guidance, or to report cyber incidents related to Rockwell Automation products. For more information on Iranian malicious cyber activity, see CISA’s Iran Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage. Download the PDF version of this report: Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure (PDF, 816.90 KB ) For a downloadable copy of IOCs, see: AA26-097A.stix_.xml (XML, 35.97 KB ) AA26-097A.stix_.json (JSON, 11.87 KB ) Background Information Similar Historical Activity Targeting Programmable Logic Controllers During a similar campaign beginning in November 2023, the IRGC CEC-affiliated cyber threat actors known as "CyberAv3ngers” targeted U.S.-based PLCs and HMIs, causing disruptive effects. Private industry and open sources also refer to this group as Hydro Kitten, Storm-0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group. These attacks compromised at least 75 devices, targeting U.S.-based Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors, including WWS. For more information on this group’s activity, see the authoring agencies’ Joint Cybersecurity Advisory IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities. Ongoing Threat Actor Activity Against U.S.-Based Programmable Logic Controllers The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations. Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel.  Since at least March 2026, the authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs. These PLCs were deployed across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, WWS, and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss. Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 18. See the MITRE ATT&CK Tactics and Techniques section of this advisory for tables of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. Initial Access The authoring agencies observed Iranian-affiliated APT actors using several overseas-based IP addresses to access internet-facing Rockwell Automation/Allen-Bradley-manufactured PLCs [T0883]. The actors used leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an accepted connection to the victim’s PLC. Targeted devices include CompactLogix and Micro850 PLC devices.  Command and Control Inbound malicious traffic may be directed to devices on any of following ports: 44818, 2222, 102, 22, or 502. The targeting of ports [T0885] associated with other OT vendors’ protocols suggests these actors may also be targeting devices manufactured by companies other than Rockwell Automation/Allen-Bradley, including the Siemens S7 PLC. Additionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22 [T1219]. Impact The FBI identified that this activity resulted in the extraction of the device’s project file and data manipulation on HMI and SCADA displays [T1565]. Indicators of Compromise See Table 1 for recent IP addresses used by the Iranian-affiliated APT actors to communicate with Rockwell Automation/Allen-Bradley-manufactured devices (and potentially other branded OT devices) in the United States. Disclaimer: The FBI observed that the threat actors used the IP addresses listed below in the specified time frames. This data is being provided for customers to query against logs for indications of historical targeting by the Iranian-affiliated APT actors. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking. Table 1. Indicators of Compromise Indicator Beginning of Actor Association End of Actor Association 135.136.1[.]133 March 2026 March 2026 185.82.73[.]162 January 2025 March 2026 185.82.73[.]164 January 2025 March 2026 185.82.73[.]165 January 2025 March 2026 185.82.73[.]167 January 2025 March 2026 185.82.73[.]168 January 2025 March 2026 185.82.73[.]170 January 2025 March 2026 185.82.73[.]171 January 2025 March 2026 MITRE ATT&CK Tactics and Techniques See Table 2 to Table 4 for all referenced threat actor tactics and techniques in this advisory. The authoring agencies recommend organizations review historical TTPs for similar Iranian-affiliated cyber actor activity in IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 2. Initial Access Technique Title ID Use Internet Accessible Device T0883 The actors used Rockwell Automation’s programming software (such as Studio 5000 Logix Designer) to access and interact with publicly exposed, internet-accessible PLCs installed and deployed without sufficient network and/or hardening security controls.  Table 3. Impact Technique Title ID Use Stored Data Manipulation T1565 The actors maliciously interacted with project files and altered data displayed on HMI and SCADA displays Table 4. Command and Control Technique Title ID Use Commonly Used Port T0885 The actors used commonly used OT ports to communicate with PLCs. Remote Access Tools  T1219 The actors deployed Dropbear SSH software on victim endpoints to enable them to gain remote access through port 22. Mitigations The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals 2.0 (CPGs 2.0) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPG 2.0 webpage for more information on the CPGs, including additional recommended baseline protections. Network Defenders The cyber threat actors accessed Rockwell Automation/Allen-Bradley-manufactured PLCs to cause disruptions to victim systems. To safeguard against this threat and threats to other types of PLCs, the authoring agencies urge organizations to consider the following mitigations. In addition, organizations with these PLCs should view Rockwell Automation’s guidance: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats. Immediate steps to prevent the attack: Disconnect the PLC from the public-facing internet [CPG 3.S]. Follow the joint guidance Secure connectivity principles for OT to safely allow remote access. Specifically, “remove inbound port exposure,” so the OT system is never directly exposed to the internet or external networks, and to ensure all access is mediated, monitored, and controlled. Do this through a secure gateway (jump host) that brokers the connection. Ensure cellular modems, used for remote field connectivity and access, are secured with strong authentication and updated. Enable logs for the connected modems to detect intrusion and improve incident response speed. For controllers with a physical mode switch, place the physical mode switch into run position to prevent remote modification. Devices should only be in the program or remote position when updating or downloading software online and immediately switched back to the run position when complete. (See Rockwell’s2 System Security Design Guidelines for manufacturer’s instructions.) For devices that allow for software key switching, enable programming protection in PLC configuration software (S7 Totally Integrated Automation [TIA] Portal) to limit who can modify PLCs remotely. (See Siemens’ Cybersecurity for Industry Operational Guidelines for the manufacturer’s instructions.) Create and test strong backups of the logic and configurations of PLCs. Store backup files offline and secure the physical removal media to enable fast recovery. Follow-up steps to strengthen security posture: Implement multifactor authentication (MFA) [CPG 3.F] for access to the OT network from an external network. If remote access is required, implement a network proxy, gateway, firewall, and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable MFA for remote access even if the PLC does not support MFA. Implement security rules on these higher-level network security mechanisms that prevent the type of repeated and sustained login attempts that would be seen during a brute force attack. When possible, implement a device control list for workstations sending messages or connecting to OT components. Use the device control list to monitor for logon activity for unexpected or unusual access to devices from the internet. Keep PLC devices updated with the latest software patches by the manufacturer. Use established downtime windows to install patches. Known Exploited Vulnerabilities may need to be prioritized outside a downtime window. Configure external and internal firewalls to block traffic using common ports associated with network protocols that are unnecessary for the particular network segment. Disable any unused authentication methods, logic, or features, such as default authentication keys, as well as unused or needed services such as Teletype Network (Telnet), File Transfer Protocol (FTP), Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and web services. Monitor asset management systems for device configuration changes, which can be used to understand expected parameter settings. Monitor the content of network traffic for the following: Unusual logins to internet-connected devices or unexpected protocols to/from the internet. Functions of industrial control systems (ICS) management protocols that change an asset’s operating mode or modify programs. In addition, the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, as well as reduce the impact and risk of compromise by cyber threat actors: Reduce risk exposure. CISA offers a range of services at no cost, including scanning and testing, to help organizations reduce exposure to threats via mitigating attack vectors. CISA’s Cyber Hygiene Services can help provide additional review of organizations’ internet accessible assets.  Device Manufacturers Note: The following guidance is general in nature and not specific to any OT vendor. Some of the features, settings, and practices may already be offered by certain vendors. The inclusion of this guidance should not be interpreted as an assertion that vendors referenced in this product do not offer such security features. Although critical infrastructure organizations using PLC devices can take steps to mitigate the risks, it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default. The authoring agencies urge device manufacturers to take ownership of their customers’ security outcomes by following the principles in the joint guide Secure by Demand: Priority Considerations for OT Owners and Operators when Selecting Digital Products, primarily: Change the manufacturers’ default settings to prevent exposing administrative interfaces to the internet. Do not charge additional fees for basic security features needed to operate the product securely. Support MFA, including via phishing-resistant methods. By using secure by design tactics, software manufacturers can make product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates. For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. For more information on secure by design, see CISA’s Secure by Design webpage and joint guide. Validate Security Controls In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 2 to Table 4). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Resources Authoring Agencies: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities CISA: Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers EPA: Cybersecurity for the Water Sector CISA: Water and Wastewater Systems Sector CISA Alert: Exploitation of Unitronics PLCs used in Water and Wastewater Systems CISA: Iran Threat Overview and Advisories FBI: The Iran Threat CISA, MITRE: Best Practices for MITRE ATT&CK Mapping CISA: Decider Tool CISA: Cross-Sector Cybersecurity Performance Goals 2.0 CISA: No-Cost Cybersecurity Services and Tools CISA: Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products NSA, CISA: NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations CISA: Secure by Design FBI: Primary Mitigations to Reduce Cyber Threats to Operational Technology United Kingdom National Cyber Security Center: Secure connectivity principles for operational technology (OT) Contact Information U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA, FBI, and/or NSA: Contact CISA via CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov. Entities required to report incidents to DOE should follow established reporting requirements, as appropriate. For other energy sector inquiries, contact EnergySRMA@hq.doe.gov. Contact the Rockwell Automation PSIRT for questions regarding their guidance or for reporting cyber incidents related to Rockwell Automation at PSIRT@rockwellautomation.com. Disclaimer The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies. Version History April 7, 2026: Initial version. Notes 1Project file refers to the software file that contains ladder logic and configuration settings. On Rockwell Automation devices, it is referred to as an .ACD file. 2 See CompactLogix 5370 Controllers (Chapter 5: "Select the Operating Mode of the Controller") for more information on functions available for the switch.

The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." [...]

Scammers are sending fake "Notice of Default" traffic violation text messages impersonating state courts across the U.S., pressuring recipients to scan a QR code that leads to a phishing site demanding a $6.99 payment while stealing personal and financial information. [...]

Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. [...]

Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. [...]

The draft bill, yet to be signed into law by the king, marked a significant policy change for Cambodia officials in addressing scam centers.

Telehealth giant Hims & Hers Health is warning that it suffered a data breach after support tickets were stolen from a third-party customer service platform. [...]

The Qilin ransomware group has claimed responsibility for an attack against Die Linke ('The Left'), forcing an IT systems outage at the political party, and threatening sensitive data leak. [...]

CERT-EU blamed the cybercrime group TeamPCP for the recent hack on the European Commission, and said the notorious ShinyHunters gang was responsible for leaking the stolen data online.

Multi-extortion ransomware relies on stolen data to pressure victims with public leaks. Penta Security explains how its D.AMO platform keeps exfiltrated files encrypted and useless to attackers. [...]

An executive said the social media platform could lock accounts mentioning crypto for the first time and require verification after a scammer faked reports of a tortoise's death.

Threat actors are exploiting vacant homes as "drop addresses" to intercept mail and enable fraud. Flare shows how postal services and fake identities are abused to turn mail into a fraud vector. [...]

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to login as the PROG user and modify permissions. The following versions of Yokogawa CENTUM VP are affected: CENTUM VP >=R5.01.00| CENTUM VP >=R6.01.00| CENTUM VP vR7.01.00 (CVE-2025-7741) CVSS Vendor Equipment Vulnerabilities v3 4 Yokogawa Yokogawa CENTUM VP Use of Hard-coded Password Background Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and Agriculture Countries/Areas Deployed: Worldwide Company Headquarters Location: Japan Vulnerabilities Expand All + CVE-2025-7741 Affected products contain a hardcoded password for the user account (PROG) used for CENTUM Authentication Mode within the system. Under the following conditions, there is a risk that an attacker could log in as the PROG user. The default permission for the PROG users is S1 permission (equivalent to OFFUSER). Therefore, for properly permission-controlled targets of operation and monitoring, even if an attacker logs in as the PROG user, the risk of critical operations or configuration changes being performed is considered low. If the PROG user's permissions have been changed for any reason, there is a risk that operations or configuration changes may be performed under the modified permissions. Additionally, exploiting this vulnerability requires an attacker to already have access to the HIS screen controls. View CVE Details Affected Products Yokogawa CENTUM VP Vendor: Yokogawa Product Version: Yokogawa CENTUM VP: >=R5.01.00|<R5.04.20, Yokogawa CENTUM VP: >=R6.01.00|<R6.12.00, Yokogawa CENTUM VP: vR7.01.00 Product Status: known_affected Remediations Mitigation Yokogawa recommends users applying the following mitigations to affected versions: Vendor fix CENTUM VP R5.01.00 to R5.04.20: Change the user authentication mode to Windows Authentication Mode. Vendor fix CENTUM VP R6.01.00 to R6.12.00: Change the user authentication mode to Windows Authentication Mode. Vendor fix CENTUM VP R7.01.00: Apply patch software R7.01.10. Mitigation NOTE:Changing to Windows Authentication Mode requires engineering work. If users wish to make this change, please contact Yokogawa directly https://contact.yokogawa.com/cs/gw?c-id=000498. https://contact.yokogawa.com/cs/gw?c-id=000498 Mitigation For more information and details on implementing these mitigations, users should see the Yokogawa advisory YSAR-26-0003 at https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf Relevant CWE: CWE-259 Use of Hard-coded Password Metrics CVSS Version Base Score Base Severity Vector String 3.1 4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Acknowledgments Yokogawa reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity. Revision History Initial Release Date: 2026-04-02 Date Revision Summary 2026-04-02 1 Initial Republication of YSAR-26-0003 Legal Notice and Terms of Use

A new malware-as-a-service called CrystalRAT is being promoted on Telegram, offering remote access, data theft, keylogging, and clipboard hijacking capabilities. [...]

The threat group's shift to speedy attacks on AWS, Azure, and SaaS instances shows organizations need to respond quickly to compromised credentials.

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker with access to the MAVLink interface to execute arbitrary shell commands without cryptographic authentication. The following versions of PX4 Autopilot are affected: Autopilot v1.16.0_SITL_latest_stable (CVE-2026-1579) CVSS Vendor Equipment Vulnerabilities v3 9.8 PX4 PX4 Autopilot Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Transportation Systems, Emergency Services, Defense Industrial Base Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2026-1579 The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level. View CVE Details Affected Products PX4 Autopilot Vendor: PX4 Product Version: PX4 Autopilot: v1.16.0_SITL_latest_stable Product Status: known_affected Remediations Mitigation PX4 recommends enabling MAVLink 2.0 message signing as the authentication mechanism for all non‑USB communication links. PX4 has published a security hardening guide for integrators and manufacturers at https://docs.px4.io/main/en/mavlink/security_hardening. https://docs.px4.io/main/en/mavlink/security_hardening Mitigation Message signing configuration documentation can be found at https://docs.px4.io/main/en/mavlink/message_signing. https://docs.px4.io/main/en/mavlink/message_signing Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments Dolev Aviv of Cyviation reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-31 Date Revision Summary 2026-03-31 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an authenticated low-privileged user to gain access to SMS messages outside of their authorized tenant scope via a crafted company or tenant identifier parameter. The following versions of OpenCode Systems OC Messaging and USSD Gateway are affected: OC Messaging 6.32.2 (CVE-2025-70614) USSD Gateway 6.32.2 (CVE-2025-70614) CVSS Vendor Equipment Vulnerabilities v3 8.1 OpenCode Systems OpenCode Systems OC Messaging and USSD Gateway Improper Access Control Background Critical Infrastructure Sectors: Communications Countries/Areas Deployed: Worldwide Company Headquarters Location: Bulgaria Vulnerabilities Expand All + CVE-2025-70614 OpenCode Systems Custom Messaging Gateway 6.32.2 contains a web access vulnerability allowing one authenticated user to gain access to another authenticated user's messages via a crafted identifier parameter. View CVE Details Affected Products OpenCode Systems OC Messaging and USSD Gateway Vendor: OpenCode Systems Product Version: OpenCode Systems OC Messaging: 6.32.2, OpenCode Systems USSD Gateway: 6.32.2 Product Status: known_affected Remediations Mitigation The vulnerability was identified by OpenCode Systems on January 5, 2026 and remediated on January 6, 2026 with the release of version 6.33.11. Mitigation For more information, contact OpenCode: https://opencode.com/about/contact-us https://opencode.com/about/contact-us Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Acknowledgments Hussein Amer reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-26 Date Revision Summary 2026-03-26 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device. The following versions of WAGO GmbH & Co. KG Industrial Managed Switches are affected: WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1812 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1813 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.3.S0 WAGO_Hardware_852-1813/000-001 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1816 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.8.S0 WAGO_Hardware_852-303 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1305 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1305/000-001 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1505/000-001 (CVE-2026-3587) WAGO Firmware versions prior to V1.1.9.S0 WAGO_Hardware_852-1505 (CVE-2026-3587) WAGO Firmware versions prior to V1.0.6.S0 WAGO_Hardware_852-602 (CVE-2026-3587) WAGO Firmware versions prior to V1.0.6.S0 WAGO_Hardware_852-603 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.5.S0 WAGO_Hardware_852-1605 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1812/010-000 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1813/010-000 (CVE-2026-3587) WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1816/010-000 (CVE-2026-3587) WAGO Firmware version V1.0.6.S0 WAGO_Hardware_852-602 (CVE-2026-3587) WAGO Firmware version V1.0.6.S0 WAGO_Hardware_852-603 (CVE-2026-3587) WAGO Firmware version V1.1.9.S0 WAGO_Hardware_852-1505 (CVE-2026-3587) WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1305 (CVE-2026-3587) WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1305/000-001 (CVE-2026-3587) WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1505/000-001 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1812 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1816 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1812/010-000 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813/010-000 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1816/010-000 (CVE-2026-3587) WAGO Firmware version V1.2.3.S0 WAGO_Hardware_852-1813/000-001 (CVE-2026-3587) WAGO Firmware version V1.2.5.S0 WAGO_Hardware_852-1605 (CVE-2026-3587) WAGO Firmware version V1.2.8.S0 WAGO_Hardware_852-303 (CVE-2026-3587) WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813/010-001 (CVE-2026-3587) WAGO Firmware version V1.2.1.S1 WAGO_Hardware_852-1813/010-001 (CVE-2026-3587) CVSS Vendor Equipment Vulnerabilities v3 10 WAGO WAGO GmbH & Co. KG Industrial Managed Switches Hidden Functionality Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-3587 An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device. View CVE Details Affected Products WAGO GmbH & Co. KG Industrial Managed Switches Vendor: WAGO Product Version: WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1812, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1813, WAGO WAGO Firmware versions prior to V1.2.3.S0: WAGO_Hardware_852-1813/000-001, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1816, WAGO WAGO Firmware versions prior to V1.2.8.S0: WAGO_Hardware_852-303, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1305, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1305/000-001, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1505/000-001, WAGO WAGO Firmware versions prior to V1.1.9.S0: WAGO_Hardware_852-1505, WAGO WAGO Firmware versions prior to V1.0.6.S0: WAGO_Hardware_852-602, WAGO WAGO Firmware versions prior to V1.0.6.S0: WAGO_Hardware_852-603, WAGO WAGO Firmware versions prior to V1.2.5.S0: WAGO_Hardware_852-1605, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1812/010-000, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1813/010-000, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1816/010-000, WAGO WAGO Firmware version V1.0.6.S0: WAGO_Hardware_852-602, WAGO WAGO Firmware version V1.0.6.S0: WAGO_Hardware_852-603, WAGO WAGO Firmware version V1.1.9.S0: WAGO_Hardware_852-1505, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1305, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1305/000-001, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1505/000-001, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1812, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1816, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1812/010-000, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813/010-000, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1816/010-000, WAGO WAGO Firmware version V1.2.3.S0: WAGO_Hardware_852-1813/000-001, WAGO WAGO Firmware version V1.2.5.S0: WAGO_Hardware_852-1605, WAGO WAGO Firmware version V1.2.8.S0: WAGO_Hardware_852-303, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813/010-001, WAGO WAGO Firmware version V1.2.1.S1: WAGO_Hardware_852-1813/010-001 Product Status: known_affected Remediations Mitigation WAGO has identified the following specific workarounds and mitigations users can apply to reduce risk: Product Group: WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1813/010-001, WAGO Firmware installed on WAGO Hardware 852-1813/010-001): Please update your devices to the specified fixed Firmware version. Mitigation Lean Managed Switch 852-1812, Lean Managed Switch 852-1813, Lean Managed Switch 852-1813/000-001, Lean Managed Switch 852-1816, Lean Managed Switch 852-1812/010-000, Lean Managed Switch 852-1813/010-000, Lean Managed Switch 852-1816/010-000, Lean Managed Switch 852-1813/010-001: To eliminate the attack vector deactivate ssh and telnet on the device. Mitigation Industrial Managed Switch 852-303, Industrial Managed Switch 852-1305, Industrial Managed Switch 852-1305/000-001, Industrial Managed Switch 852-1505/000-001, Industrial Managed Switch 852-1505, Industrial Managed Switch 852-602, Industrial Managed Switch 852-603, Industrial Managed Switch 852-1605: To reduce the attack vector deactivate ssh and telnet on the devices. This ensures that the CLI is only accessible locally via RS232. Mitigation The following product versions have been fixed: Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.3.S1 installed on Lean Managed Switch 852-1813/000-001 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.8.S1 installed on Industrial Managed Switch 852-303 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305/000-001 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1505/000-001 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.1.9.S1 installed on Industrial Managed Switch 852-1505 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-602 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-603 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.5.S1 installed on Industrial Managed Switch 852-1605 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812/010-000 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-000 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816/010-000 are fixed versions for CVE-2026-3587 Mitigation Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-001 are fixed versions for CVE-2026-3587 Mitigation For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json. https://www.wago.com/de-en/automation-technology/psirt Mitigation For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json. https://certvde.com/en/advisories/VDE-2026-020 Mitigation For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json. https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json Relevant CWE: CWE-912 Hidden Functionality Metrics CVSS Version Base Score Base Severity Vector String 3.1 10 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Acknowledgments CERT@VDE coordination reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-26 Date Revision Summary 2026-03-26 1 Initial Republication of WAGO GmbH & Co. KG VDE-2026-020 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution. The following versions of PTC Windchill Product Lifecycle Management are affected: Windchill PDMLink 11.0_M030 (CVE-2026-4681) Windchill PDMLink 11.1_M020 (CVE-2026-4681) Windchill PDMLink 11.2.1.0 (CVE-2026-4681) Windchill PDMLink 12.0.2.0 (CVE-2026-4681) Windchill PDMLink 12.1.2.0 (CVE-2026-4681) Windchill PDMLink 13.0.2.0 (CVE-2026-4681) Windchill PDMLink 13.1.0.0 (CVE-2026-4681) Windchill PDMLink 13.1.1.0 (CVE-2026-4681) Windchill PDMLink 13.1.2.0 (CVE-2026-4681) Windchill PDMLink 13.1.3.0 (CVE-2026-4681) FlexPLM 11.0_M030 (CVE-2026-4681) FlexPLM 11.1_M020 (CVE-2026-4681) FlexPLM 11.2.1.0 (CVE-2026-4681) FlexPLM 12.0.0.0 (CVE-2026-4681) FlexPLM 12.0.2.0 (CVE-2026-4681) FlexPLM 12.0.3.0 (CVE-2026-4681) FlexPLM 12.1.2.0 (CVE-2026-4681) FlexPLM 12.1.3.0 (CVE-2026-4681) FlexPLM 13.0.2.0 (CVE-2026-4681) FlexPLM 13.0.3.0 (CVE-2026-4681) CVSS Vendor Equipment Vulnerabilities v3 10 PTC PTC Windchill Product Lifecycle Management Improper Control of Generation of Code ('Code Injection') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-4681 A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0. View CVE Details Affected Products PTC Windchill Product Lifecycle Management Vendor: PTC Product Version: PTC Windchill PDMLink: 11.0_M030, PTC Windchill PDMLink: 11.1_M020, PTC Windchill PDMLink: 11.2.1.0, PTC Windchill PDMLink: 12.0.2.0, PTC Windchill PDMLink: 12.1.2.0, PTC Windchill PDMLink: 13.0.2.0, PTC Windchill PDMLink: 13.1.0.0, PTC Windchill PDMLink: 13.1.1.0, PTC Windchill PDMLink: 13.1.2.0, PTC Windchill PDMLink: 13.1.3.0, PTC FlexPLM: 11.0_M030, PTC FlexPLM: 11.1_M020, PTC FlexPLM: 11.2.1.0, PTC FlexPLM: 12.0.0.0, PTC FlexPLM: 12.0.2.0, PTC FlexPLM: 12.0.3.0, PTC FlexPLM: 12.1.2.0, PTC FlexPLM: 12.1.3.0, PTC FlexPLM: 13.0.2.0, PTC FlexPLM: 13.0.3.0 Product Status: known_affected Remediations Mitigation PTC is aware of the issue and is actively developing a fix. In the meantime, PTC recommends applying the recommended workaround. Until official patches are available, customers must take urgent steps to safeguard their environments. Specifically: Protect any publicly accessible Windchill systems Vendor fix While publicly accessible Windchill and FlexPLM systems are at higher risk and require immediate attention, PTC strongly recommends applying the mitigation steps to all deployments, regardless of Internet exposure Vendor fix Apply the same precautions to FlexPLM deployments Vendor fix The following Apache and IIS HTTP Server configuration update should be IMMEDIATELY applied to every Windchill or FlexPLM system: Customers using Apache HTTP Server should only follow "Apache HTTP Server Configuration – Workaround Steps" section steps Mitigation Customers using Microsoft IIS should only follow "IIS Configuration - Workaround Steps" section steps Mitigation Please explicitly note that the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable Mitigation For Windchill releases prior to 11.0 M030, workarounds may need to be altered to apply to unsupported previous releases Mitigation For Apache HTTP Server and IIS configuration workaround steps, please refer to the official advisory at:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability. https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability Mitigation If immediate remediation is not feasible, additional guidance and remediation options are available:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability. https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability Relevant CWE: CWE-94 Improper Control of Generation of Code ('Code Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 10 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Acknowledgments An anonymous source reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-26 Date Revision Summary 2026-03-26 1 Initial Republication of PTC's CS466318 Legal Notice and Terms of Use

A series of campaigns that began in August aim to defraud job candidates, using psychological tactics and data scraped from LinkedIn profiles.

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send a specially crafted file, and when parsed, could result in a denial-of-service condition. The following versions of Grassroots DICOM (GDCM) are affected: Grassroots DICOM (GDCM) 3.2.2 (CVE-2026-3650) CVSS Vendor Equipment Vulnerabilities v3 7.5 Grassroots Grassroots DICOM (GDCM) Missing Release of Memory after Effective Lifetime Background Critical Infrastructure Sectors: Healthcare and Public Health Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-3650 A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it. View CVE Details Affected Products Grassroots DICOM (GDCM) Vendor: Grassroots Product Version: Grassroots Grassroots DICOM (GDCM): 3.2.2 Product Status: known_affected Remediations Mitigation The maintainer of Grassroots DICOM (GDCM) has not responded to requests to work with CISA to mitigate this vulnerability. For update information refer to the software page on SourceForge. Mitigation https://sourceforge.net/projects/gdcm/. https://sourceforge.net/projects/gdcm/ Relevant CWE: CWE-401 Missing Release of Memory after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Acknowledgments Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-24 Date Revision Summary 2026-03-24 1 Initial Publication. Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary commands with root privileges. The following versions of Pharos Controls Mosaic Show Controller are affected: Mosaic Show Controller Firmware 2.15.3 (CVE-2026-2417) CVSS Vendor Equipment Vulnerabilities v3 9.8 Pharos Controls Pharos Controls Mosaic Show Controller Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: United Kingdom Vulnerabilities Expand All + CVE-2026-2417 A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges. View CVE Details Affected Products Pharos Controls Mosaic Show Controller Vendor: Pharos Controls Product Version: Pharos Controls Mosaic Show Controller Firmware: 2.15.3 Product Status: known_affected Remediations Mitigation Pharos Controls recommends that users upgrade Mosaic Show Controller to version 2.16 or later. Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments James Tully reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-24 Date Revision Summary 2026-03-24 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could risk privilege escalation, which could result in remote code execution. The following versions of Schneider Electric Plant iT/Brewmaxx are affected: Plant iT/Brewmaxx 9.60_and_above (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819) CVSS Vendor Equipment Vulnerabilities v3 9.9 Schneider Electric Schneider Electric Plant iT/Brewmaxx Use After Free, Integer Overflow or Wraparound, Improper Control of Generation of Code ('Code Injection') Background Critical Infrastructure Sectors: Energy, Critical Manufacturing, Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2025-49844 The affected product uses Redis, an open-source, in-memory database. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. View CVE Details Affected Products Schneider Electric Plant iT/Brewmaxx Vendor: Schneider Electric Product Version: Schneider Electric Plant iT/Brewmaxx: 9.60_and_above Product Status: known_affected Remediations Mitigation Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit: Mitigation Install Patch ProLeiT-2025-001 via ProLeiT Support https://www.proleit.com/support/ Mitigation After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality Mitigation Force usage of secure Redis configuration templates in system settings as documented in the patch manual Mitigation Restart all patched servers and workstations Mitigation Schneider Electric strongly recommends the following industry cybersecurity best practices. Mitigation Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Mitigation Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. Mitigation Place all controllers in locked cabinets and never leave them in the "Program" mode. Mitigation Never connect programming software to any network other than the network intended for that device. Mitigation Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. Mitigation Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. Mitigation Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. Mitigation When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. Mitigation For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. https://www.se.com/us/en/download/document/7EN52-0390/ Vendor fix For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx" https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2025-46817 The affected product uses Redis, an open-source, in-memory database. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution View CVE Details Affected Products Schneider Electric Plant iT/Brewmaxx Vendor: Schneider Electric Product Version: Schneider Electric Plant iT/Brewmaxx: 9.60_and_above Product Status: known_affected Remediations Mitigation Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit: Mitigation Install Patch ProLeiT-2025-001 via ProLeiT Support https://www.proleit.com/support/ Mitigation After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality Mitigation Force usage of secure Redis configuration templates in system settings as documented in the patch manual Mitigation Restart all patched servers and workstations Mitigation Schneider Electric strongly recommends the following industry cybersecurity best practices. Mitigation Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Mitigation Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. Mitigation Place all controllers in locked cabinets and never leave them in the "Program" mode. Mitigation Never connect programming software to any network other than the network intended for that device. Mitigation Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. Mitigation Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. Mitigation Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. Mitigation When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. Mitigation For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. https://www.se.com/us/en/download/document/7EN52-0390/ Vendor fix For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx" https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-46818 The affected product uses Redis, an open-source, in-memory database. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. View CVE Details Affected Products Schneider Electric Plant iT/Brewmaxx Vendor: Schneider Electric Product Version: Schneider Electric Plant iT/Brewmaxx: 9.60_and_above Product Status: known_affected Remediations Mitigation Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit: Mitigation Install Patch ProLeiT-2025-001 via ProLeiT Support https://www.proleit.com/support/ Mitigation After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality Mitigation Force usage of secure Redis configuration templates in system settings as documented in the patch manual Mitigation Restart all patched servers and workstations Mitigation Schneider Electric strongly recommends the following industry cybersecurity best practices. Mitigation Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Mitigation Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. Mitigation Place all controllers in locked cabinets and never leave them in the "Program" mode. Mitigation Never connect programming software to any network other than the network intended for that device. Mitigation Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. Mitigation Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. Mitigation Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. Mitigation When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. Mitigation For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. https://www.se.com/us/en/download/document/7EN52-0390/ Vendor fix For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx" https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf Relevant CWE: CWE-94 Improper Control of Generation of Code ('Code Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2025-46819 The affected product uses Redis, an open-source, in-memory database. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. View CVE Details Affected Products Schneider Electric Plant iT/Brewmaxx Vendor: Schneider Electric Product Version: Schneider Electric Plant iT/Brewmaxx: 9.60_and_above Product Status: known_affected Remediations Mitigation Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit: Mitigation Install Patch ProLeiT-2025-001 via ProLeiT Support https://www.proleit.com/support/ Mitigation After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality Mitigation Force usage of secure Redis configuration templates in system settings as documented in the patch manual Mitigation Restart all patched servers and workstations Mitigation Schneider Electric strongly recommends the following industry cybersecurity best practices. Mitigation Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Mitigation Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. Mitigation Place all controllers in locked cabinets and never leave them in the "Program" mode. Mitigation Never connect programming software to any network other than the network intended for that device. Mitigation Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. Mitigation Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. Mitigation Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. Mitigation When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. Mitigation For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. https://www.se.com/us/en/download/document/7EN52-0390/ Vendor fix For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx" https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H Acknowledgments Schneider Electric reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-24 Date Revision Summary 2026-03-24 1 Initial Republication of SEVD-2026-013-01 Legal Notice and Terms of Use

A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran's time zone or have Farsi set as the default language.

CISA and the Federal Bureau of Investigation released a Public Service Announcement (PSA) warning about ongoing phishing campaigns by cyber actors associated with the Russian Intelligence Services targeting commercial messaging applications (CMAs). These campaigns aim to bypass encryption to compromise to individual user accounts with targets including current and former U.S. government officials, military personnel, political figures, and journalists.   Evidence shows that cyber actors have been able to compromise individual CMA accounts, but not encryption of the applications themselves. The actors’ global campaigns have resulted in unauthorized access to thousands of individual CMA accounts to view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts.   CISA and FBI urge CMA users to review the PSA, follow recommended cybersecurity practices, and remain vigilant for suspicious activity.

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the product. The following versions of Schneider Electric Modicon M241, M251, and M262 are affected: Modicon M241 versions prior to 5.4.13.12 Modicon_Controller_M241 Modicon M251 versions prior to 5.4.13.12 Modicon_Controller_M251 Modicon M262 versions prior to 5.4.10.12 Modicon_Controller_M262 CVSS Vendor Equipment Vulnerabilities v3 5.3 Schneider Electric Schneider Electric Modicon M241, M251, and M262 Improper Resource Shutdown or Release Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2025-13901 CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels. View CVE Details Affected Products Schneider Electric Modicon M241, M251, and M262 Vendor: Schneider Electric Product Version: Schneider Electric Modicon M241 versions prior to 5.4.13.12: Modicon_Controller_M241, Schneider Electric Modicon M251 versions prior to 5.4.13.12: Modicon_Controller_M251, Schneider Electric Modicon M262 versions prior to 5.4.10.12: Modicon_Controller_M262 Product Status: known_affected Remediations Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation Modicon Controller M262 Firmware version 5.4.10.12 delivered with EcoStruxure™ Machine Expert v2.5 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M262 to the latest Firmware and perform reboot. For instructions refer to Modicon M262 Logic/Motion Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Modicon Controller M262 Firmware version 5.4.10.12 delivered with EcoStruxure™ Machine Expert v2.5 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M262 to the latest Firmware and perform reboot. For instructions refer to Modicon M262 Logic/Motion Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-01 Improper Resource Shutdown or Release vulnerability in Multiple Products - SEVD-2026-069-01 PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-01.pdf. Improper Resource Shutdown or Release vulnerability in Multiple Products - SEVD-2026-069-01 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-01.json. https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-01.pdf Mitigation All affected products: If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Filter ports and IP through the embedded firewall. Use encrypted communication links. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242. https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242 Relevant CWE: CWE-404 Improper Resource Shutdown or Release Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Acknowledgments Amir Zaltzman of Claroty Team82 reported this vulnerability to Schneider Electric Schneider Electric reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-19 Date Revision Summary 2026-03-19 1 Initial Republication of Schneider Electric CPCERT SEVD-2026-069-01 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to read, intercept, or modify communications. The following versions of Automated Logic WebCTRL Premium Server are affected: WebCTRL Premium Server CVSS Vendor Equipment Vulnerabilities v3 9.1 Automated Logic Automated Logic WebCTRL Premium Server Multiple Binds to the Same Port, Authentication Bypass by Spoofing, Cleartext Transmission of Sensitive Information Background Critical Infrastructure Sectors: Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-25086 Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software. View CVE Details Affected Products Automated Logic WebCTRL Premium Server Vendor: Automated Logic Product Version: Automated Logic WebCTRL Premium Server: <v8.5 Product Status: known_affected Remediations Mitigation Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC. Mitigation For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/. https://www.automatedlogic.com/en/company/security-commitment/ Relevant CWE: CWE-605 Multiple Binds to the Same Port Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.7 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2026-32666 WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate. View CVE Details Affected Products Automated Logic WebCTRL Premium Server Vendor: Automated Logic Product Version: Automated Logic WebCTRL Premium Server: <v8.5 Product Status: known_affected Remediations Mitigation Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC. Mitigation For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/. https://www.automatedlogic.com/en/company/security-commitment/ Relevant CWE: CWE-290 Authentication Bypass by Spoofing Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-24060 Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered. View CVE Details Affected Products Automated Logic WebCTRL Premium Server Vendor: Automated Logic Product Version: Automated Logic WebCTRL Premium Server: <v8.5 Product Status: known_affected Remediations Mitigation Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC. Mitigation For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/. https://www.automatedlogic.com/en/company/security-commitment/ Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Acknowledgments Jonathan Lee, Thuy D. Nguyen and Neil C. Rowe of the Naval Postgraduate School reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-19 Date Revision Summary 2026-03-19 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability may risk a Cross-site Scripting or an open redirect attack which could result in an account takeover scenario or the execution of code in the user browser. The following versions of Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 are affected: Modicon M241 versions prior to 5.4.13.12 Modicon_Controller_M241 Modicon M251 versions prior to 5.4.13.12 Modicon_Controller_M251 Modicon Controllers M258 all firmware versions Modicon_Controllers_M258 Modicon Controllers LMC058 all firmware versions Modicon_Controllers_LMC058 CVSS Vendor Equipment Vulnerabilities v3 5.4 Schneider Electric Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2025-13902 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim's browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload. View CVE Details Affected Products Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 Vendor: Schneider Electric Product Version: Schneider Electric Modicon M241 versions prior to 5.4.13.12: Modicon_Controller_M241, Schneider Electric Modicon M251 versions prior to 5.4.13.12: Modicon_Controller_M251, Schneider Electric Modicon Controllers M258 all firmware versions: Modicon_Controllers_M258, Schneider Electric Modicon Controllers LMC058 all firmware versions: Modicon_Controllers_LMC058 Product Status: known_affected Remediations Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/EIO0000003059/ Mitigation Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/EIO0000005500/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/us/en/download/document/EIO0000003089/ Mitigation Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER. https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER Mitigation If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242. https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242 Mitigation Modicon Controllers M258 and Modicon Controllers LMC058: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242. https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242 Mitigation For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json. https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf Mitigation For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json. https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Acknowledgments Amir Zaltzman of Claroty Team82 reported this vulnerability to Schneider Electric Schneider Electric reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-19 Date Revision Summary 2026-03-19 1 Initial Republication of Schneider Electric CPCERT SEVD-2026-069-02 Legal Notice and Terms of Use

CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.1 To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions. To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software:  Use principles of least privilege when designing administrative roles. Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to. Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene. Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune. Configure access policies to require Multi Admin Approval in Microsoft Intune. Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.   Additionally, CISA recommends reviewing the following resources to strengthen defenses against similar malicious cyber activity: Microsoft resources: For recommendations on securing Microsoft Intune, see Best practices for securing Microsoft Intune. For guidance on implementing Multi Admin Approval in Microsoft Intune, see Use Access policies to implement Multi Admin Approval. For recommendations on configuring Microsoft Intune using zero trust principles, see Configure Microsoft Intune for increased security. For guidance on implementing Microsoft Intune RBAC policies, see Role-based access control (RBAC) with Microsoft Intune. For guidance on deploying Privileged Identity Management (PIM) across Microsoft Intune, Entra ID, and other Microsoft software, see Plan a Privileged Identity Management deployment.   CISA resources: For guidance on implementing phishing-resistant multifactor authentication (MFA), see Implementing Phishing-Resistant MFA.  Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.   Acknowledgements Microsoft and Stryker contributed to this alert.  Notes 1 For updates from Stryker on the incident, see “Customer Updates: Stryker Network Disruption,” Stryker, last modified March 15, 2026, https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html.

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the target and the legitimate site -- forwarding the victim's username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for arbitrary code execution. FortiClient for Windows is a unified endpoint security solution that provides a range of security features, including a VPN client for secure remote access to corporate networks, antivirus protection, web filtering, and vulnerability assessment. FortiExtender is a device from Fortinet that provides secure 5G/LTE and Ethernet connectivity to extend a network's edge. FortiMail is a secure email gateway from Fortinet that protects against email-borne threats like spam, phishing, and malware, and prevents data loss.  FortiPAM provides privileged account management, session monitoring and management, and role-based access control to secure access to sensitive assets and mitigate data breaches. FortiSandbox is an advanced threat detection solution from Fortinet that uses sandboxing to analyze suspicious files and network traffic for advanced threats like zero-day malware and ransomware. FortiADC is an application delivery controller (ADC) that improves the availability, performance, and security of web applications.  FortiWeb is a web application firewall (WAF) that protects web applications and APIs from cyberattacks like SQL injection and cross-site scripting, while also helping to meet compliance requirements. FortiVoice is a unified communications solution that combines voice, chat, conferencing, and fax into a single, secure platform for businesses and schools. FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines. FortiProxy is a secure web gateway product from Fortinet that protects users from internet-borne attacks, enforces compliance, and improves network performance.   Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Two threat groups are exploiting SaaS at scale: one with phishing and data theft, the other with nation-state level tactics exploiting integrations and credentials. Here’s what you need to know and how to protect against the next wave.