https://feed.craftedsignal.io/tags/ics/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-abb-iec61850-dos/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-abb-iec61850-dos/A vulnerability in ABB's IEC 61850 communication stack allows a remote attacker with access to the IEC 61850 network to cause a denial-of-service condition by sending a specially crafted packet, leading to device faults or communication driver crashes.ABB System 800xA and Symphony Plus IEC 61850 products are vulnerable to a denial-of-service attack due to improper validation of input within the IEC 61850 communication stack. This affects specific modules within the AC800M, Symphony Plus SD Series, Symphony Plus MR, and S+ Operations product lines. An attacker with network access to the IEC 61850 network can exploit this vulnerability by sending a specially crafted 61850 packet. The exploitation leads to device faults in PM 877, CI850, and CI868 modules, requiring manual restarts, or causes unavailability of the S+ Operations 61850 connectivity due to communication driver crashes. The System 800xA IEC61850 Connect is not affected by this vulnerability. This issue was reported to ABB by Hitachi Energy and affects firmware versions prior to the patched releases detailed in ABB’s advisory.

Attack Chain

1. Attacker gains network access to the targeted IEC 61850 network.
2. Attacker identifies a vulnerable ABB device (PM 877, CI850, CI868 modules, or S+ Operations node).
3. Attacker crafts a malicious IEC 61850 packet specifically designed to exploit the input validation vulnerability (CVE-2025-3756).
4. Attacker sends the crafted packet to the targeted vulnerable ABB device via the IEC 61850 network.
5. The vulnerable device processes the malicious packet.
6. Due to the input validation flaw, the processing of the crafted packet triggers a fault condition in PM 877, CI850, or CI868 modules, or a crash in the S+ Operations IEC 61850 communication driver.
7. The affected module or node becomes unavailable, resulting in a denial-of-service.
8. For PM 877, CI850, and CI868 modules, manual restart of the device is required to restore functionality. S+ Operations requires restarting the IEC 61850 communication driver.

Impact

Successful exploitation of this vulnerability can disrupt critical industrial control processes. Affected sectors include Chemical, Critical Manufacturing, Energy, and Water/Wastewater. A successful attack can lead to temporary loss of control and monitoring capabilities, potentially causing process disruptions, safety incidents, or environmental damage. The vulnerability affects devices deployed worldwide. While the S+ Operations node’s overall functionality remains available, the loss of IEC 61850 communication can still impede operations relying on this protocol.

Recommendation

• Apply vendor-provided patches to affected ABB System 800xA and Symphony Plus IEC 61850 products as soon as they are available. Refer to ABB’s advisory for specific version information and patch availability.
• Segment and isolate IEC 61850 networks using firewalls to prevent unauthorized access and lateral movement. Implement strict access control policies to limit access to these networks.
• Monitor network traffic for suspicious IEC 61850 packets that may indicate exploitation attempts. Create network connection rules to only allow traffic from known good IEC 61850 clients.
• Deploy the Sigma rule “Detect Suspicious IEC 61850 Traffic” to detect potential exploitation attempts based on unexpected network activity.
• Enable and review firewall logs to identify and block potentially malicious traffic attempting to reach vulnerable ABB devices.

]]>mediumadvisoryicsdenial-of-serviceindustrial-control-systemiec61850https://feed.craftedsignal.io/briefs/2026-04-abb-pcm600-path-traversal/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-abb-pcm600-path-traversal/A path traversal vulnerability in ABB PCM600 versions 1.5 to 2.13 (CVE-2018-1002208) allows a local attacker with low privileges to execute arbitrary code by sending a specially crafted message to the system node.ABB PCM600 versions 1.5 through 2.13 are vulnerable to a path traversal flaw (CVE-2018-1002208) within the SharpZip.dll library. Successful exploitation enables a local attacker with low privileges to execute arbitrary code on the affected system. This vulnerability resides in the software used to configure and manage protection and control IEDs (Intelligent Electronic Devices) in critical infrastructure sectors, specifically critical manufacturing. ABB recommends updating to PCM600 version 2.14 to remediate this vulnerability. The vulnerability was reported to CISA by ABB PSIRT.

Attack Chain

1. Attacker gains low-privilege access to the target system running a vulnerable ABB PCM600 version.
2. The attacker crafts a malicious message containing a path traversal payload designed to exploit CVE-2018-1002208.
3. The attacker sends the crafted message to the system node, targeting the vulnerable SharpZip.dll.
4. The SharpZip.dll processes the message without properly sanitizing the provided path.
5. The path traversal vulnerability allows the attacker to write arbitrary files to locations outside the intended directory.
6. The attacker leverages the file write capability to place a malicious executable or library in a trusted location.
7. The attacker triggers the execution of the malicious code, achieving arbitrary code execution on the system.
8. The attacker can then perform actions such as escalating privileges, installing malware, or disrupting industrial processes.

Impact

Successful exploitation of CVE-2018-1002208 can lead to arbitrary code execution on systems running vulnerable ABB PCM600 versions within critical manufacturing environments. While no specific victim counts or sectors are detailed in the advisory, the vulnerability’s presence in industrial control systems poses a significant risk. A successful attack could disrupt manufacturing processes, cause equipment damage, or lead to data breaches.

Recommendation

• Upgrade to ABB Protection and control IED manager PCM600 version 2.14 to address CVE-2018-1002208 as per the vendor’s recommendation.
• If using RE_630 protection relays with older PCM600 versions, implement system-level defenses as described in ABB’s security advisory 2NGA002813.
• Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet, as recommended by CISA.
• Monitor file creation events for suspicious file paths that may indicate path traversal attempts exploiting CVE-2018-1002208, using a rule similar to the example provided.

]]>mediumadvisoryicspath traversalindustrial control systemhttps://feed.craftedsignal.io/briefs/2026-04-abb-awin-gateways/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-abb-awin-gateways/Multiple vulnerabilities in ABB AWIN Gateways allow an unauthenticated attacker to remotely reboot the device (CVE-2025-13778) or disclose sensitive system configuration details (CVE-2025-13777, CVE-2025-13779).ABB AWIN Gateways are vulnerable to multiple security flaws that could be exploited by unauthenticated attackers. These vulnerabilities impact ABB AWIN GW100 rev.2 and GW120 devices running specific firmware versions (2.0-0, 2.0-1, 1.2-0, and 1.2-1). Successful exploitation of these vulnerabilities can lead to a denial-of-service condition via remote reboot or the disclosure of sensitive system configuration information, potentially compromising critical manufacturing infrastructure. The vulnerabilities stem from authentication bypass and missing authentication for critical functions. Firmware versions 2.1-0 for GW100 rev. 2 and 2.0-0 for GW120 address these issues.

Attack Chain

1. Attacker identifies an exposed ABB AWIN Gateway on a network (likely adjacent network).
2. Attacker sends a crafted, unauthenticated request to the targeted gateway to trigger CVE-2025-13778.
3. The ABB AWIN Gateway processes the request without authentication.
4. The gateway initiates a reboot, causing a denial-of-service condition.
5. Alternatively, the attacker sends another crafted, unauthenticated request to trigger CVE-2025-13777 or CVE-2025-13779.
6. The gateway responds to the request, disclosing sensitive system configuration information.
7. The attacker uses the disclosed information to gain further insight into the network and potentially plan further attacks.

Impact

Successful exploitation of these vulnerabilities can have significant impacts, particularly within critical manufacturing sectors where these gateways are deployed. A remote reboot (CVE-2025-13778) can disrupt operations, leading to production downtime and financial losses. Disclosure of sensitive system configuration information (CVE-2025-13777, CVE-2025-13779) can provide attackers with valuable insights, enabling them to plan further attacks, such as gaining unauthorized access to other systems or manipulating industrial processes.

Recommendation

• Immediately patch affected ABB AWIN Gateways to the fixed versions (ABB AWIN Firmware 2.1-0 installed on ABB AWIN GW100 rev. 2 and ABB AWIN Firmware 2.0-0 installed on ABB AWIN GW120) as recommended in the ABB PSIRT security advisory 4JNO000329.
• Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet as recommended by CISA.
• Monitor network traffic for unauthenticated requests to ABB AWIN Gateways, specifically targeting endpoints related to system reboot or configuration retrieval using the provided Sigma rule.

]]>highadvisoryicsvulnerabilityindustrial_control_systemshttps://feed.craftedsignal.io/briefs/2026-04-abb-symphony-vulns/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-abb-symphony-vulns/Multiple vulnerabilities in ABB Ability Symphony Plus Engineering, stemming from underlying PostgreSQL flaws, could allow a remote attacker with network access to execute arbitrary code and compromise the system.ABB Ability Symphony Plus Engineering versions 2.2 through 2.4 SP2 are susceptible to multiple vulnerabilities originating in the included PostgreSQL database. An attacker gaining access to the S+ Client Server network could exploit CVE-2023-5869 (Integer Overflow), CVE-2023-39417 (SQL Injection), and CVE-2024-7348 (TOCTOU race condition) to execute arbitrary code and potentially compromise the entire ABB system. This poses a significant risk to organizations in critical infrastructure sectors, including Chemical, Critical Manufacturing, Energy, and Water/Wastewater, as these systems are vital for operational control and safety. Successful exploitation could result in loss of control, data breaches, or disruption of essential services. ABB released S+ Engineering 2.4 SP2 RU1 in December 2024 as a fix.

Attack Chain

1. Attacker gains initial access to the target network, specifically the S+ Client Server network, possibly through existing vulnerabilities or misconfigurations.
2. Attacker authenticates to the PostgreSQL database server used by ABB Ability Symphony Plus Engineering.
3. Attacker exploits CVE-2023-5869 by providing crafted data to trigger an integer overflow, enabling arbitrary code execution.
4. Alternatively, the attacker exploits CVE-2023-39417 by injecting malicious SQL code through extension scripts, leading to arbitrary code execution with administrator privileges.
5. Alternatively, the attacker exploits CVE-2024-7348, leveraging a TOCTOU race condition to execute arbitrary SQL functions with elevated privileges using a PostgreSQL utility.
6. The attacker executes arbitrary code within the context of the compromised ABB Ability Symphony Plus Engineering application or the underlying PostgreSQL database.
7. The attacker leverages the compromised system to move laterally within the OT network, potentially targeting other critical systems or data repositories.
8. Attacker achieves complete compromise of the ABB Ability Symphony Plus Engineering system, allowing manipulation of industrial processes, data exfiltration, or denial of service.

Impact

Successful exploitation of these vulnerabilities in ABB Ability Symphony Plus Engineering can have severe consequences, particularly in critical infrastructure sectors. Affected sectors include chemical, critical manufacturing, energy, and water/wastewater facilities worldwide. A compromised system could allow attackers to manipulate industrial processes, leading to equipment damage, environmental incidents, or disruption of essential services like power generation or water treatment. The vulnerabilities could allow attackers to gain unauthorized access to sensitive data, intellectual property, or control systems, resulting in significant financial losses, reputational damage, and potential safety risks.

Recommendation

• Immediately upgrade ABB Ability Symphony Plus Engineering to version 2.4 SP2 RU1 (re-leased in December 2024) or later, as recommended by ABB, to address the identified vulnerabilities (Vendor fix).
• Review and enforce network segmentation and firewall configurations to restrict access to the S+ client/server network, mitigating the risk of external attackers exploiting these vulnerabilities (Mitigation).
• Monitor network traffic for suspicious activity indicative of PostgreSQL exploitation attempts. Deploy the Sigma rule Detect Suspicious PostgreSQL Utility Execution to identify potential exploitation of CVE-2024-7348.
• Enable logging of PostgreSQL queries and analyze logs for SQL injection attempts, specifically looking for suspicious use of extension scripts. Deploy the Sigma rule Detect SQL Injection in PostgreSQL Logs to identify potential exploitation of CVE-2023-39417.

]]>criticaladvisoryvulnerabilityicspostgresqlhttps://feed.craftedsignal.io/briefs/2026-04-optimax-auth-bypass/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-optimax-auth-bypass/CVE-2025-14510 allows an attacker to bypass Azure Active Directory Single-Sign On authentication in vulnerable ABB Ability OPTIMAX versions, potentially granting unauthorized access to critical infrastructure systems.A critical vulnerability, CVE-2025-14510, affects ABB Ability OPTIMAX versions that utilize Azure Active Directory (Azure AD) for Single-Sign On (SSO) authentication. This flaw stems from an incorrect implementation of the authentication algorithm, potentially allowing attackers to bypass the Azure AD authentication mechanism and gain unauthorized access to the OPTIMAX system. The affected versions include ABB Ability OPTIMAX 6.1 and 6.2 (all versions), 6.3 versions prior to 6.3.1-251120, and 6.4 versions prior to 6.4.1-251120. Successful exploitation could lead to significant disruption in energy, water, and wastewater sectors. The vulnerability was reported to CISA by ABB PSIRT.

Attack Chain

1. An attacker identifies an ABB Ability OPTIMAX installation using Azure AD SSO with a vulnerable version (6.1, 6.2, 6.3 < 6.3.1-251120, or 6.4 < 6.4.1-251120).
2. The attacker crafts a malicious authentication request, exploiting the incorrect implementation of the authentication algorithm (CWE-303).
3. The crafted request bypasses the expected Azure AD authentication checks within OPTIMAX.
4. OPTIMAX incorrectly validates the attacker’s session, granting them access to the system.
5. The attacker leverages their unauthorized access to gain control over OPTIMAX functionalities.
6. The attacker can then modify control parameters, manipulate data, or disrupt operations within the connected industrial processes.

Impact

Successful exploitation of CVE-2025-14510 enables unauthorized access to ABB Ability OPTIMAX systems, potentially leading to severe consequences in critical infrastructure sectors such as energy, water, and wastewater. An attacker could manipulate industrial processes, disrupt critical services, or cause significant financial and operational damage. Given the widespread deployment of ABB Ability OPTIMAX systems globally, a successful campaign exploiting this vulnerability could have far-reaching impact.

Recommendation

• Immediately update ABB Ability OPTIMAX to fixed versions (6.3.1-251120 and later) to remediate CVE-2025-14510.
• Refer to ABB PSIRT security advisory 9AKK108472A1331 for detailed mitigation steps and recommendations.
• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet, as per CISA’s recommended practices.

]]>highadvisoryauthentication bypassicsvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-hieos-auth-bypass/Thu, 02 Apr 2026 20:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-hieos-auth-bypass/Hirschmann HiEOS devices contain an authentication bypass vulnerability (CVE-2024-14034) in the HTTP(S) management module, allowing unauthenticated remote attackers to gain administrative access by sending specially crafted HTTP(S) requests.CVE-2024-14034 describes an authentication bypass vulnerability affecting Hirschmann HiEOS devices. The vulnerability resides within the HTTP(S) management module and allows unauthenticated remote attackers to gain administrative privileges. By sending specially crafted HTTP(S) requests, attackers can bypass authentication checks due to improper handling. This enables them to perform unauthorized actions such as downloading or uploading device configurations and modifying the device firmware. Successful exploitation leads to a complete compromise of the affected HiEOS device.

Attack Chain

1. The attacker identifies a vulnerable Hirschmann HiEOS device accessible over the network via HTTP(S).
2. The attacker crafts a malicious HTTP(S) request designed to exploit the authentication bypass. This request likely targets specific endpoints in the management module.
3. The attacker sends the crafted HTTP(S) request to the vulnerable HiEOS device.
4. Due to improper authentication handling, the device incorrectly processes the request, granting the attacker administrative privileges.
5. The attacker leverages the elevated privileges to download the device configuration, potentially exposing sensitive information.
6. The attacker modifies the device configuration, injecting malicious settings or backdoors.
7. The attacker uploads the modified configuration to the HiEOS device, effectively compromising its functionality.
8. Alternatively, the attacker could use their elevated privileges to upload and install a modified firmware image. This allows complete control over the device and can ensure persistence.

Impact

Successful exploitation of CVE-2024-14034 allows an unauthenticated attacker to gain full administrative control over the targeted Hirschmann HiEOS device. This can lead to device configuration modification, firmware manipulation, and potential disruption of network services relying on the compromised device. Given the nature of HiEOS devices, successful attacks can impact industrial control systems (ICS) and critical infrastructure. A CVSS v3.1 base score of 9.8 reflects the critical severity and potential impact.

Recommendation

• Apply the patches or mitigations provided in the Belden Security Bulletin BSECV-2024-02 (reference URL in the References section) to remediate CVE-2024-14034.
• Monitor webserver logs for unusual HTTP requests targeting the HiEOS management interface using the Sigma rule “Detect Suspicious HiEOS Management Requests”.
• Implement network segmentation to limit the exposure of HiEOS devices and reduce the potential impact of a successful attack.
• Regularly review and update firmware on HiEOS devices to address known vulnerabilities and improve overall security posture.

]]>criticaladvisoryauthentication bypasscve-2024-14034hieosicshttps://feed.craftedsignal.io/briefs/2026-03-codesys-dos/Wed, 25 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-codesys-dos/An unauthenticated remote attacker can exploit CVE-2026-3509 in the CODESYS Control runtime system to control the format string of messages processed by the Audit Log, leading to a denial-of-service (DoS) condition.<p>CVE-2026-3509 describes a format string vulnerability within the Audit Log of the CODESYS Control runtime system. This vulnerability allows an unauthenticated remote attacker to influence the format string of messages processed by the affected system. Successful exploitation of this vulnerability results in a denial-of-service (DoS) condition, impacting the availability of the CODESYS Control runtime system. The vulnerability was reported on March 24, 2026. CODESYS is a popular development…</p> highadvisorycodesysdoscve-2026-3509icsothttps://feed.craftedsignal.io/briefs/2026-03-codesys-vulns/Wed, 25 Mar 2026 09:46:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-codesys-vulns/Multiple vulnerabilities in CODESYS allow a remote attacker to execute arbitrary program code and conduct a denial-of-service attack.Multiple vulnerabilities have been identified in CODESYS, a software platform widely used for industrial automation. These vulnerabilities, if exploited, could allow a remote attacker to execute arbitrary program code on affected systems and/or cause a denial-of-service (DoS) condition. Given the prevalence of CODESYS in critical infrastructure and manufacturing environments, these vulnerabilities pose a significant risk. Public details are limited, but the potential impact necessitates immediate action from defenders to identify and mitigate potentially vulnerable CODESYS installations. Successful exploitation can lead to significant disruption of industrial processes, data manipulation, and potentially physical damage depending on the affected systems.

Attack Chain

1. Attacker identifies a vulnerable CODESYS installation accessible over the network (e.g., via Shodan or similar).
2. Attacker crafts a malicious request specifically targeting one of the CODESYS vulnerabilities. Due to lack of specifics, this step is generic. Example attack vectors could include crafted network packets or malicious project files.
3. The malicious request is sent to the vulnerable CODESYS service.
4. The CODESYS service improperly processes the request due to the vulnerability.
5. This improper processing leads to arbitrary code execution within the context of the CODESYS service.
6. The attacker executes malicious code to gain control of the CODESYS runtime. This code could install a backdoor, modify control logic, or exfiltrate data.
7. Alternatively, the malformed request triggers a denial-of-service condition, causing the CODESYS service or the entire system to crash.
8. The attacker disrupts industrial processes or gains unauthorized access to the industrial control system.

Impact

Successful exploitation of these CODESYS vulnerabilities can have severe consequences, including unauthorized access to industrial control systems, disruption of critical infrastructure, data manipulation, and potentially physical damage. The number of affected systems is potentially large, given the widespread use of CODESYS in various sectors including manufacturing, energy, and transportation. A successful attack could lead to significant financial losses, reputational damage, and even safety risks.

Recommendation

• Monitor network traffic for suspicious activity targeting CODESYS services. Use the network connection rule below to detect unusual processes connecting to CODESYS ports.
• Implement strict network segmentation to limit the exposure of CODESYS installations to external networks.
• Since specific CVEs are not available, regularly check the CODESYS website for security updates and apply them immediately.
• Investigate any crashes or unexpected behavior of CODESYS services, using process creation logs with the process creation rule below to see if the crash was caused by a malicious process.

]]>criticaladvisorycodesysvulnerabilityarbitrary-code-executiondenial-of-serviceicshttps://feed.craftedsignal.io/briefs/2026-02-yokogawa-centum-vp-r6-r7/Fri, 27 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-yokogawa-centum-vp-r6-r7/Multiple vulnerabilities in Yokogawa CENTUM VP R6 and R7 Vnet/IP Interface Package can be exploited by sending maliciously crafted packets, leading to denial-of-service or arbitrary code execution.Yokogawa CENTUM VP is a distributed control system (DCS) used in critical infrastructure sectors such as critical manufacturing, energy, and food and agriculture worldwide. CISA has released an advisory detailing multiple vulnerabilities (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023) affecting the Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300) and R7 (VP7C3300) versions <= R1.07.00. Successful exploitation of these vulnerabilities could allow an attacker to terminate the software stack process, cause a denial-of-service condition, or execute arbitrary code. The vulnerabilities are triggered by receiving maliciously crafted network packets, posing a significant risk to industrial control systems relying on affected versions of Yokogawa CENTUM VP.

Attack Chain

1. Attacker identifies a vulnerable Yokogawa CENTUM VP system running Vnet/IP Interface Package for CENTUM VP R6 or R7 (<=R1.07.00) on the network.
2. Attacker crafts a malicious network packet specifically designed to exploit one of the identified vulnerabilities (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023).
3. Attacker sends the malicious packet to the vulnerable system.
4. If exploiting CVE-2025-1924 (Out-of-bounds Write), the crafted packet triggers an out-of-bounds write, potentially overwriting critical memory regions.
5. If exploiting CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, or CVE-2025-48022 (Reachable Assertion, Integer Underflow), the crafted packet causes the Vnet/IP software stack process to terminate due to an assertion failure or integer underflow.
6. If successful, the Vnet/IP communication functions stop, resulting in a denial-of-service condition, impacting the control and monitoring capabilities of the CENTUM VP system.
7. (Potentially, for CVE-2025-1924) By carefully crafting the malicious packet and exploiting the out-of-bounds write, the attacker may achieve arbitrary code execution on the targeted system.
8. Attacker could then leverage the code execution to gain further control of the system, potentially disrupting industrial processes or exfiltrating sensitive data.

Impact

Successful exploitation of these vulnerabilities in Yokogawa CENTUM VP R6 and R7 could have significant consequences for organizations in critical infrastructure sectors. A denial-of-service condition can disrupt industrial processes, leading to production losses and potential safety hazards. Arbitrary code execution could allow attackers to gain complete control of the system, potentially leading to sabotage, data theft, or further attacks on the network. Given the widespread deployment of Yokogawa CENTUM VP systems globally, the impact could be significant across various industries.

Recommendation

• Apply the patch software R1.08.00 provided by Yokogawa to address the vulnerabilities (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023).
• Monitor network traffic for unexpected patterns or malformed packets targeting Yokogawa CENTUM VP systems using network intrusion detection systems (NIDS).
• Consult Yokogawa advisory YSAR-26-0002 for detailed mitigation steps and implementation guidance: https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0002-E.pdf
• Implement network segmentation to isolate critical control systems from the broader network to limit the potential impact of a successful attack.

]]>highadvisoryicsdenial-of-serviceout-of-bounds writehttps://feed.craftedsignal.io/briefs/2026-02-mobility46-vulns/Fri, 27 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-mobility46-vulns/Multiple vulnerabilities in Mobility46 charging stations allow attackers to gain unauthorized administrative control or disrupt charging services through missing authentication, improper authentication restrictions, insufficient session expiration, and exposed credentials.Mobility46 charging stations are affected by multiple vulnerabilities that could allow attackers to gain unauthorized administrative control or disrupt charging services. These vulnerabilities, identified in all versions of mobility46.se, include missing authentication for critical functions (CVE-2026-27028), improper restriction of excessive authentication attempts (CVE-2026-26305), insufficient session expiration (CVE-2026-27647), and insufficiently protected credentials (CVE-2026-22878). Exploitation could lead to privilege escalation, unauthorized control of charging infrastructure, corruption of charging network data, and denial-of-service conditions. Mobility46 did not respond to CISA’s request for coordination. These charging stations are deployed worldwide across the energy and transportation sectors.

Attack Chain

1. Attacker identifies a Mobility46 charging station’s identifier via publicly accessible web-based mapping platforms due to insufficient credential protection (CVE-2026-22878).
2. Attacker connects to the charging station’s OCPP WebSocket endpoint using the discovered charging station identifier, exploiting the lack of authentication mechanisms (CVE-2026-27028).
3. Attacker issues unauthorized OCPP commands to the charging station, impersonating a legitimate charger due to missing authentication for critical functions (CVE-2026-27028).
4. Alternatively, the attacker overwhelms the WebSocket API with authentication requests, exploiting the lack of rate limiting and causing a denial-of-service condition (CVE-2026-26305).
5. Attacker hijacks or shadows a legitimate charging station session by establishing a new connection using the same session identifier, as multiple endpoints are allowed per session (CVE-2026-27647).
6. The attacker receives backend commands intended for the legitimate charging station, gaining unauthorized control (CVE-2026-27647).
7. Attacker manipulates charging parameters, disrupts charging services, or corrupts charging network data reported to the backend.
8. The final objective is to gain unauthorized control of charging infrastructure and disrupt charging services or cause financial and reputational damage.

Impact

Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations, leading to manipulation of charging parameters and disruption of services. Organizations in the energy and transportation sectors are affected worldwide. The lack of authentication and session management could allow attackers to cause denial-of-service conditions, potentially affecting numerous charging stations simultaneously. This could lead to significant financial losses, reputational damage, and disruption of critical infrastructure.

Recommendation

• Monitor network connections for unusual WebSocket traffic patterns originating from or directed towards the domain mobility46.se to detect potential exploitation attempts (IOC: mobility46.se).
• Deploy the Sigma rule “Detect Unauthenticated WebSocket Connection to Mobility46 Charging Station” to identify connections lacking proper authentication. Enable network connection logging for WebSocket traffic (Sigma Rule).
• Apply rate limiting measures to the WebSocket API endpoints to mitigate potential denial-of-service attacks resulting from excessive authentication attempts as described in CVE-2026-26305.
• Implement robust authentication mechanisms for all WebSocket endpoints to prevent unauthorized station impersonation and data manipulation, addressing CVE-2026-27028.
• Investigate and remediate the exposure of charging station authentication identifiers on web-based mapping platforms to prevent unauthorized access, addressing CVE-2026-22878.

]]>criticaladvisorymobility46charging-stationvulnerabilityicshttps://feed.craftedsignal.io/briefs/2026-02-pelco-sarix-auth-bypass/Fri, 27 Feb 2026 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-pelco-sarix-auth-bypass/An authentication bypass vulnerability (CVE-2026-1241) in the web management interface of Pelco Sarix Pro 3 Series IP Cameras (versions <= 02.52) allows unauthenticated attackers to access sensitive device data and bypass surveillance controls.<p>Pelco Sarix Pro 3 Series IP Cameras are affected by an authentication bypass vulnerability (CVE-2026-1241) in their web management interface. The vulnerability stems from inadequate access control enforcement, allowing unauthorized access to certain functionalities without proper authentication. This issue impacts Sarix Professional IMP 3 Series, IXP 3 Series, IBP 3 Series, and IWP 3 Series IP Cameras with firmware versions equal to or less than 02.52. Successful exploitation can lead to…</p> highadvisorycve-2026-1241authentication-bypassip-cameraicshttps://feed.craftedsignal.io/briefs/2026-02-ev-energy-vulns/Thu, 26 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-ev-energy-vulns/Multiple vulnerabilities exist in EV Energy ev.energy that could allow an attacker to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks.Multiple vulnerabilities have been identified in EV Energy ev.energy charging stations, potentially allowing attackers to gain unauthorized administrative control or disrupt charging services. The vulnerabilities, detailed in CISA ICS Advisory ICSA-26-057-07, affect all versions of ev.energy. These vulnerabilities include missing authentication for critical functions (CVE-2026-27772), improper restriction of excessive authentication attempts (CVE-2026-24445), insufficient session expiration (CVE-2026-26290), and insufficiently protected credentials (CVE-2026-25774). Successful exploitation could lead to privilege escalation, unauthorized control of charging infrastructure, and denial-of-service conditions. The affected sectors include Energy and Transportation Systems, with worldwide deployment. The vendor, EV Energy, has not responded to CISA’s request for coordination.

Attack Chain

1. Reconnaissance: An attacker identifies EV Energy ev.energy charging stations that have publicly accessible authentication identifiers via web-based mapping platforms (CVE-2026-25774).
2. Unauthorized WebSocket Connection: The attacker connects to the OCPP WebSocket endpoint using a known charging station identifier without proper authentication (CVE-2026-27772).
3. Session Hijacking: The attacker exploits the lack of session expiration and predictable session identifiers to hijack a legitimate charging station’s session (CVE-2026-26290).
4. Data Manipulation: The attacker issues unauthorized OCPP commands, manipulating data sent to the backend and gaining unauthorized control of the charging infrastructure (CVE-2026-27772).
5. Privilege Escalation: Through unauthorized access and command execution, the attacker escalates privileges to administrative control over the charging station (CVE-2026-27772).
6. Denial-of-Service: Alternatively, the attacker floods the WebSocket API with excessive authentication requests, causing a denial-of-service condition by suppressing or misrouting legitimate charger telemetry (CVE-2026-24445).
7. Service Disruption: Legitimate users are unable to use the charging stations due to the attacker’s control or the denial-of-service condition.
8. Network Data Corruption: The attacker manipulates charging network data reported to the backend, potentially impacting billing or grid management systems (CVE-2026-27772).

Impact

Successful exploitation of these vulnerabilities can lead to significant disruptions in the Energy and Transportation Systems sectors. An attacker could gain administrative control over charging stations, manipulate charging processes, and cause denial-of-service conditions, rendering the stations unusable. The lack of vendor response further exacerbates the risk, leaving users without official patches or mitigation guidance. The compromise of charging network data could also have downstream impacts on billing and grid management systems.

Recommendation

• Implement rate limiting on WebSocket authentication requests to mitigate CVE-2026-24445, preventing denial-of-service attacks. Monitor network traffic for excessive authentication attempts targeting OCPP WebSocket endpoints, and deploy a custom rule to detect such attempts.
• Disable or restrict public access to web-based mapping platforms that expose charging station authentication identifiers to mitigate CVE-2026-25774. Conduct regular audits of publicly available information to identify and remove exposed credentials.
• Deploy network segmentation and firewall rules to minimize network exposure for all charging station devices, as recommended by CISA. This will limit the attack surface and prevent unauthorized access from the Internet.

]]>criticaladvisoryev.energycharging-stationicsvulnerabilitydoshttps://feed.craftedsignal.io/briefs/2026-02-chargemap-vulns/Thu, 26 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-chargemap-vulns/Unauthenticated attackers can exploit multiple vulnerabilities in Chargemap's charging stations, including missing authentication, improper authentication attempt restrictions, insufficient session expiration, and unprotected credentials, potentially leading to unauthorized control and denial-of-service.Chargemap chargemap.com is affected by multiple critical vulnerabilities that could allow attackers to gain unauthorized administrative control over charging stations or disrupt charging services. These vulnerabilities include missing authentication for critical functions (CVE-2026-25851), improper restriction of excessive authentication attempts (CVE-2026-20792), insufficient session expiration (CVE-2026-25711), and insufficiently protected credentials (CVE-2026-20791). The vulnerabilities affect all versions of Chargemap chargemap.com. These flaws exist within the WebSocket API and the handling of charging station identifiers. Successful exploitation can lead to privilege escalation, data corruption, session hijacking, and denial-of-service conditions. The affected infrastructure sectors include energy and transportation systems, with deployments worldwide.

Attack Chain

1. Attacker identifies a publicly accessible Chargemap charging station identifier via web-based mapping platforms (CVE-2026-20791).
2. Attacker connects to the OCPP WebSocket endpoint of the targeted charging station using the discovered identifier without authentication (CVE-2026-25851).
3. Attacker exploits the lack of authentication to impersonate a legitimate charger.
4. Attacker floods the WebSocket API with authentication requests, leveraging the absence of rate limiting to conduct a denial-of-service attack (CVE-2026-20792).
5. Attacker hijacks a legitimate charging station session due to insufficient session expiration and predictable session identifiers (CVE-2026-25711).
6. Attacker sends malicious commands to the backend, disrupting the charging process and potentially damaging connected vehicles.
7. Attacker manipulates data sent to the backend, corrupting charging network data and potentially causing billing errors or safety issues.
8. Attacker gains full administrative control over the charging station, enabling them to modify settings, disable functionality, or use it as a pivot point to attack other systems.

Impact

Successful exploitation of these vulnerabilities could result in widespread disruption of electric vehicle charging services, financial losses due to manipulated charging data, and potential damage to connected vehicles. Given the global deployment of Chargemap, a successful attack could affect numerous users and organizations in the energy and transportation sectors. Attackers could remotely disable charging stations, manipulate pricing, or even cause physical damage to charging infrastructure. The lack of vendor response further exacerbates the potential impact, leaving users vulnerable without readily available patches or workarounds.

Recommendation

• Minimize network exposure for Chargemap charging stations by ensuring they are not directly accessible from the internet as recommended by CISA.
• Locate control system networks and remote devices behind firewalls, isolating them from business networks as per CISA guidance.
• Monitor network traffic for excessive authentication attempts targeting Chargemap charging stations to detect potential denial-of-service attacks leveraging CVE-2026-20792. Implement rate limiting where possible.
• Deploy the Sigma rule “Detect Unauthenticated OCPP WebSocket Connections” to identify unauthorized connections to charging stations exploiting CVE-2026-25851.
• Contact Chargemap using their contact page (https://chargemap.com/en-us/support) to inquire about available patches or mitigations for these vulnerabilities.

]]>criticaladvisoryicsotvulnerabilitydenial-of-servicehttps://feed.craftedsignal.io/briefs/2026-02-quantum-hd-vulns/Thu, 26 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-quantum-hd-vulns/Multiple vulnerabilities in Johnson Controls, Inc. Frick Controls Quantum HD versions <=10.22 can lead to pre-authentication remote code execution, information leak, or denial of service.Multiple vulnerabilities have been identified in Johnson Controls, Inc. Frick Controls Quantum HD versions 10.22 and earlier. These vulnerabilities, including CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, and CVE-2026-21660, can be exploited to achieve pre-authentication remote code execution, information leaks, or denial of service. Given that Frick Controls Quantum HD is deployed worldwide, particularly in the Food and Agriculture sector, these vulnerabilities pose a significant risk. Johnson Controls recommends upgrading to Quantum HD Unity, version 12 or higher, to mitigate these risks. Versions 10.22 through 11 are no longer supported.

Attack Chain

1. An attacker identifies a vulnerable Frick Controls Quantum HD device exposed to the network.
2. The attacker sends a specially crafted request to the device exploiting the input validation vulnerabilities (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658).
3. Due to the insufficient validation of input, the crafted request allows the attacker to inject malicious code into the system (CWE-78, CWE-94).
4. The injected code is executed by the device, granting the attacker unauthorized access.
5. The attacker leverages the code execution to perform further actions such as gaining access to sensitive information (information leak), or causing the device to crash (denial of service).
6. If successful RCE is achieved, the attacker may use this to move laterally within the OT network.
7. The attacker could then target other critical systems within the food and agriculture environment.

Impact

Successful exploitation of these vulnerabilities can lead to severe consequences, especially in critical infrastructure sectors like Food and Agriculture. Attackers could remotely execute arbitrary code on the affected systems without authentication, potentially disrupting industrial processes, stealing sensitive data, or causing a complete shutdown of operations. With Quantum HD systems deployed globally, a widespread attack could affect numerous organizations, leading to significant financial losses and supply chain disruptions.

Recommendation

• Immediately upgrade all Frick Controls Quantum HD devices to the latest platform, Quantum HD Unity, version 12 or higher, as recommended by Johnson Controls (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660).
• After upgrading to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.
• Monitor network traffic for suspicious requests targeting Frick Controls Quantum HD devices (Network Connection logs).
• Refer to Johnson Controls Product Security Advisory JCI-PSA-2026-05 for more detailed mitigation instructions at https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories.

]]>criticaladvisoryicsotvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-02-copeland-xweb-vulns/Thu, 26 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-copeland-xweb-vulns/Multiple vulnerabilities in Copeland XWEB and XWEB Pro versions 1.12.1 and earlier could allow attackers to bypass authentication, inject commands, and execute arbitrary code, leading to complete system compromise.Copeland XWEB and XWEB Pro are web-enabled controllers used for managing refrigeration and HVAC systems in commercial facilities worldwide. CISA has released an advisory detailing multiple critical vulnerabilities affecting versions 1.12.1 and earlier of XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO. These vulnerabilities, including authentication bypasses (CVE-2026-25085, CVE-2026-21718), OS command injection flaws (CVE-2026-24663, CVE-2026-21389), and others, can be exploited to achieve unauthenticated remote code execution, denial-of-service, and information disclosure. The vulnerabilities pose a significant risk to organizations using these controllers, potentially leading to disruption of critical infrastructure, data breaches, and financial losses. Immediate patching is strongly advised.

Attack Chain

1. An unauthenticated attacker sends a specially crafted request to the /libraries/install endpoint (CVE-2026-24663).
2. The request contains malicious input designed to inject OS commands.
3. The XWEB Pro application fails to properly sanitize the input.
4. The application executes the injected OS commands on the underlying system.
5. The attacker gains arbitrary code execution with the privileges of the web server process.
6. The attacker uses their initial access to further compromise the system.
7. The attacker may install malware, establish persistence, or move laterally to other systems on the network.
8. The final objective is to disrupt the managed refrigeration and HVAC systems by manipulating configuration or process control logic.

Impact

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, cause a denial-of-service condition, cause memory corruption, and execute arbitrary code. Given the widespread use of Copeland XWEB and XWEB Pro in commercial facilities, a successful attack could disrupt critical refrigeration systems, potentially impacting food safety, pharmaceuticals, and other temperature-sensitive industries. A successful attack against these systems can allow a malicious actor to cause significant financial and reputational damage.

Recommendation

• Immediately patch Copeland XWEB Pro to the latest version by using the software update page: https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate.
• Monitor network traffic for unusual requests to the /libraries/install and /contacts/import endpoints, as these are targets for command injection (CVE-2026-24663, CVE-2026-21389).
• Implement network segmentation to isolate XWEB Pro devices from other critical systems, limiting the potential impact of a successful exploit.
• Deploy the following Sigma rules to detect exploitation attempts targeting these vulnerabilities.

]]>criticaladvisorycopelandxwebvulnerabilityics