{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/industrial-control-system/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2025-3756"}],"_cs_exploited":false,"_cs_products":["ABB System 800xA","Symphony Plus IEC 61850","S+ Operations","Symphony Plus SD Series CI850","Symphony Plus MR (Melody Rack) PM 877","AC800M Product line (System 800xA) CI868"],"_cs_severities":["medium"],"_cs_tags":["ics","denial-of-service","industrial-control-system","iec61850"],"_cs_type":"advisory","_cs_vendors":["ABB"],"content_html":"\u003cp\u003eABB System 800xA and Symphony Plus IEC 61850 products are vulnerable to a denial-of-service attack due to improper validation of input within the IEC 61850 communication stack. This affects specific modules within the AC800M, Symphony Plus SD Series, Symphony Plus MR, and S+ Operations product lines. An attacker with network access to the IEC 61850 network can exploit this vulnerability by sending a specially crafted 61850 packet. The exploitation leads to device faults in PM 877, CI850, and CI868 modules, requiring manual restarts, or causes unavailability of the S+ Operations 61850 connectivity due to communication driver crashes. The System 800xA IEC61850 Connect is not affected by this vulnerability. This issue was reported to ABB by Hitachi Energy and affects firmware versions prior to the patched releases detailed in ABB\u0026rsquo;s advisory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to the targeted IEC 61850 network.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable ABB device (PM 877, CI850, CI868 modules, or S+ Operations node).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious IEC 61850 packet specifically designed to exploit the input validation vulnerability (CVE-2025-3756).\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted packet to the targeted vulnerable ABB device via the IEC 61850 network.\u003c/li\u003e\n\u003cli\u003eThe vulnerable device processes the malicious packet.\u003c/li\u003e\n\u003cli\u003eDue to the input validation flaw, the processing of the crafted packet triggers a fault condition in PM 877, CI850, or CI868 modules, or a crash in the S+ Operations IEC 61850 communication driver.\u003c/li\u003e\n\u003cli\u003eThe affected module or node becomes unavailable, resulting in a denial-of-service.\u003c/li\u003e\n\u003cli\u003eFor PM 877, CI850, and CI868 modules, manual restart of the device is required to restore functionality. S+ Operations requires restarting the IEC 61850 communication driver.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can disrupt critical industrial control processes. Affected sectors include Chemical, Critical Manufacturing, Energy, and Water/Wastewater. A successful attack can lead to temporary loss of control and monitoring capabilities, potentially causing process disruptions, safety incidents, or environmental damage. The vulnerability affects devices deployed worldwide. While the S+ Operations node\u0026rsquo;s overall functionality remains available, the loss of IEC 61850 communication can still impede operations relying on this protocol.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply vendor-provided patches to affected ABB System 800xA and Symphony Plus IEC 61850 products as soon as they are available. Refer to ABB\u0026rsquo;s advisory for specific version information and patch availability.\u003c/li\u003e\n\u003cli\u003eSegment and isolate IEC 61850 networks using firewalls to prevent unauthorized access and lateral movement. Implement strict access control policies to limit access to these networks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious IEC 61850 packets that may indicate exploitation attempts. Create network connection rules to only allow traffic from known good IEC 61850 clients.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious IEC 61850 Traffic\u0026rdquo; to detect potential exploitation attempts based on unexpected network activity.\u003c/li\u003e\n\u003cli\u003eEnable and review firewall logs to identify and block potentially malicious traffic attempting to reach vulnerable ABB devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:00:00Z","date_published":"2026-04-30T12:00:00Z","id":"/briefs/2026-04-abb-iec61850-dos/","summary":"A vulnerability in ABB's IEC 61850 communication stack allows a remote attacker with access to the IEC 61850 network to cause a denial-of-service condition by sending a specially crafted packet, leading to device faults or communication driver crashes.","title":"ABB System 800xA and Symphony Plus IEC 61850 Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-abb-iec61850-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.5,"id":"CVE-2018-1002208"}],"_cs_exploited":false,"_cs_products":["ABB PCM600"],"_cs_severities":["medium"],"_cs_tags":["ics","path traversal","industrial control system"],"_cs_type":"advisory","_cs_vendors":["ABB"],"content_html":"\u003cp\u003eABB PCM600 versions 1.5 through 2.13 are vulnerable to a path traversal flaw (CVE-2018-1002208) within the SharpZip.dll library. Successful exploitation enables a local attacker with low privileges to execute arbitrary code on the affected system. This vulnerability resides in the software used to configure and manage protection and control IEDs (Intelligent Electronic Devices) in critical infrastructure sectors, specifically critical manufacturing. ABB recommends updating to PCM600 version 2.14 to remediate this vulnerability. The vulnerability was reported to CISA by ABB PSIRT.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains low-privilege access to the target system running a vulnerable ABB PCM600 version.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious message containing a path traversal payload designed to exploit CVE-2018-1002208.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted message to the system node, targeting the vulnerable SharpZip.dll.\u003c/li\u003e\n\u003cli\u003eThe SharpZip.dll processes the message without properly sanitizing the provided path.\u003c/li\u003e\n\u003cli\u003eThe path traversal vulnerability allows the attacker to write arbitrary files to locations outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file write capability to place a malicious executable or library in a trusted location.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the malicious code, achieving arbitrary code execution on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as escalating privileges, installing malware, or disrupting industrial processes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-1002208 can lead to arbitrary code execution on systems running vulnerable ABB PCM600 versions within critical manufacturing environments. While no specific victim counts or sectors are detailed in the advisory, the vulnerability\u0026rsquo;s presence in industrial control systems poses a significant risk. A successful attack could disrupt manufacturing processes, cause equipment damage, or lead to data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to ABB Protection and control IED manager PCM600 version 2.14 to address CVE-2018-1002208 as per the vendor\u0026rsquo;s recommendation.\u003c/li\u003e\n\u003cli\u003eIf using RE_630 protection relays with older PCM600 versions, implement system-level defenses as described in ABB\u0026rsquo;s security advisory 2NGA002813.\u003c/li\u003e\n\u003cli\u003eMinimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet, as recommended by CISA.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for suspicious file paths that may indicate path traversal attempts exploiting CVE-2018-1002208, using a rule similar to the example provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:00:00Z","date_published":"2026-04-30T12:00:00Z","id":"/briefs/2026-04-abb-pcm600-path-traversal/","summary":"A path traversal vulnerability in ABB PCM600 versions 1.5 to 2.13 (CVE-2018-1002208) allows a local attacker with low privileges to execute arbitrary code by sending a specially crafted message to the system node.","title":"ABB PCM600 Path Traversal Vulnerability (CVE-2018-1002208)","url":"https://feed.craftedsignal.io/briefs/2026-04-abb-pcm600-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40434"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-40434","tcp-injection","industrial-control-system"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAnviz CrossChex Standard is vulnerable to TCP packet injection due to a lack of source verification in the client/server communication channel. This vulnerability, identified as CVE-2026-40434, allows an attacker on the same network to inject malicious TCP packets, potentially leading to alteration or disruption of application traffic. The affected software is CrossChex Standard. This vulnerability was reported by ICS-CERT. Successful exploitation can allow an attacker to manipulate user data, disable devices, or gain unauthorized access to the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the same network as the Anviz CrossChex Standard client and server.\u003c/li\u003e\n\u003cli\u003eThe attacker passively monitors network traffic between the client and server to understand the communication protocol.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious TCP packets designed to exploit the lack of source verification.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the crafted packets into the communication stream between the client and the server.\u003c/li\u003e\n\u003cli\u003eThe injected packets are processed by the CrossChex server without proper authentication or validation of the source.\u003c/li\u003e\n\u003cli\u003eThe attacker can modify user data, such as access control lists or time attendance records.\u003c/li\u003e\n\u003cli\u003eThe attacker can disrupt application functionality by sending packets that cause errors or disable devices.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially gain unauthorized access to sensitive information or system resources by exploiting the altered application state.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40434 can lead to unauthorized modification of user data, denial of service, and potentially unauthorized access to the CrossChex Standard system. An attacker could manipulate employee time attendance records, grant unauthorized access to restricted areas, or disable critical security features. This can have significant implications for organizations relying on CrossChex Standard for access control and time management, especially for those in critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for suspicious TCP packets originating from unexpected sources on the same network as CrossChex servers, and alert when detected.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate CrossChex servers and clients from untrusted network segments.\u003c/li\u003e\n\u003cli\u003eRefer to the ICS-CERT advisory (\u003ca href=\"https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03\"\u003ehttps://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03\u003c/a\u003e) for mitigation guidance and updates.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T20:16:36Z","date_published":"2026-04-17T20:16:36Z","id":"/briefs/2026-04-anviz-crosschex-tcp-injection/","summary":"Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic.","title":"Anviz CrossChex Standard TCP Packet Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-anviz-crosschex-tcp-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-33892"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-33892","authentication-bypass","industrial-control-system","edge-management"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, CVE-2026-33892, affects Industrial Edge Management Pro V1 (versions \u0026gt;= V1.7.6 and \u0026lt; V1.15.17), Industrial Edge Management Pro V2 (versions \u0026gt;= V2.0.0 and \u0026lt; V2.1.1), and Industrial Edge Management Virtual (versions \u0026gt;= V2.2.0 and \u0026lt; V2.8.0). The flaw stems from a failure to properly enforce user authentication on remote connections to managed devices. An unauthenticated attacker can exploit this vulnerability to circumvent authentication mechanisms and impersonate a legitimate user, potentially gaining unauthorized access to and control over the affected devices. Successful exploitation requires the attacker to discover the header and port used for remote connections and that the remote connection feature is enabled on the targeted device. While exploitation grants access to the device, it\u0026rsquo;s important to note that security features implemented directly on the device itself, such as application-specific authentication, remain unaffected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Industrial Edge Management Pro or Virtual instance.\u003c/li\u003e\n\u003cli\u003eThe attacker probes the target system to identify the header and port used for remote connections to managed devices. This may involve network scanning or analyzing network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2026-33892 by crafting a malicious request that bypasses authentication, impersonating a legitimate user. This request is sent to the identified port using the specific header.\u003c/li\u003e\n\u003cli\u003eThe vulnerable system accepts the unauthenticated request due to the improper enforcement of user authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a tunnel to the targeted managed device.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the managed device, potentially allowing them to execute commands or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the tunneled connection to further compromise the device or network.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s final objective depends on their motives, potentially involving data exfiltration, disruption of services, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33892 can lead to complete compromise of Industrial Edge Management systems and the managed devices connected to them. This could enable attackers to disrupt critical industrial processes, steal sensitive data, or launch further attacks within the affected network. The lack of proper authentication enforcement allows an attacker to impersonate legitimate users, granting them elevated privileges and potentially unrestricted access to the compromised system and devices. The severity of the impact depends on the criticality of the managed devices and the data they handle.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Industrial Edge Management Pro V1 to a version \u0026gt;= V1.15.17, Pro V2 to a version \u0026gt;= V2.1.1, and Virtual to a version \u0026gt;= V2.8.0 to patch CVE-2026-33892, as outlined in the product\u0026rsquo;s security advisory.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious connections to Industrial Edge Management systems on non-standard ports, using the provided network_connection Sigma rule to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate Industrial Edge Management systems and managed devices from other parts of the network, limiting the potential impact of a successful exploit.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong authentication policies on the managed devices themselves to mitigate the risk of unauthorized access even if the Industrial Edge Management system is compromised.\u003c/li\u003e\n\u003cli\u003eEnable and review logs from Industrial Edge Management systems, focusing on authentication attempts and remote connection activity, to detect and respond to suspicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T09:16:36Z","date_published":"2026-04-14T09:16:36Z","id":"/briefs/2026-04-industrial-edge-auth-bypass/","summary":"CVE-2026-33892 allows an unauthenticated remote attacker to bypass authentication and impersonate a legitimate user in affected Industrial Edge Management Pro and Virtual versions by exploiting improper enforcement of user authentication on remote connections to devices, potentially enabling unauthorized access and control.","title":"Industrial Edge Management Authentication Bypass Vulnerability (CVE-2026-33892)","url":"https://feed.craftedsignal.io/briefs/2026-04-industrial-edge-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-4436"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","modbus","industrial-control-system","odorant-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4436 is a vulnerability affecting systems that use Modbus for controlling odorant injection in gas lines. A low-privileged remote attacker can exploit this vulnerability by sending crafted Modbus packets to manipulate register values that serve as inputs to the odorant injection logic. This can result in either too much or too little odorant being injected into the gas line, which can have severe safety and operational consequences. The vulnerability was reported by ICS-CERT and affects systems utilizing Modbus protocol for industrial control. Successful exploitation requires network access to the Modbus interface but does not require authentication due to missing authentication controls (CWE-306).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to the Modbus interface of the odorant injection system.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the Modbus registers responsible for controlling odorant injection parameters.\u003c/li\u003e\n\u003cli\u003eAttacker crafts Modbus packets designed to modify the identified registers.\u003c/li\u003e\n\u003cli\u003eAttacker sends the malicious Modbus packets to the target system.\u003c/li\u003e\n\u003cli\u003eThe system processes the packets and modifies the register values.\u003c/li\u003e\n\u003cli\u003eOdorant injection logic uses the manipulated register values.\u003c/li\u003e\n\u003cli\u003eThe system injects either too much or too little odorant into the gas line.\u003c/li\u003e\n\u003cli\u003eThe altered odorant level creates potentially hazardous conditions or operational disruptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4436 can lead to dangerous situations due to incorrect odorant levels in gas lines. Too little odorant can make gas leaks undetectable, increasing the risk of explosions. Conversely, too much odorant can cause health concerns and damage equipment. The potential impact ranges from localized safety incidents to widespread disruptions in gas distribution, affecting residential, commercial, and industrial sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement proper authentication and authorization mechanisms for Modbus communications to mitigate CWE-306 (Missing Authentication for Critical Function), as highlighted in the CVE description.\u003c/li\u003e\n\u003cli\u003eMonitor Modbus traffic for suspicious activity, such as unexpected register writes, using the provided Sigma rule targeting Modbus write operations.\u003c/li\u003e\n\u003cli\u003eSegment the network to isolate the Modbus devices from untrusted networks to limit the attack surface, as the vulnerability can be exploited remotely.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect Modbus write operations and tune for your environment to filter out benign Modbus traffic.\u003c/li\u003e\n\u003cli\u003eReference ICS-CERT advisory ICSA-26-099-02 for vendor-specific patches and mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T20:16:27Z","date_published":"2026-04-09T20:16:27Z","id":"/briefs/2026-04-modbus-injection/","summary":"A low-privileged remote attacker can exploit CVE-2026-4436 by sending Modbus packets to manipulate register values controlling odorant injection in gas lines, potentially leading to hazardous conditions.","title":"CVE-2026-4436: Modbus Odorant Injection Manipulation","url":"https://feed.craftedsignal.io/briefs/2026-04-modbus-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-13926"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2025-13926","basc-20t","packet-forging","industrial-control-system"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-13926 is a critical vulnerability affecting Contemporary Controls BASC 20T. An attacker can exploit this vulnerability by capturing network traffic and forging packets, enabling them to send arbitrary requests to the device. This is achieved by sniffing network traffic, extracting necessary data for packet construction, and then crafting malicious packets to interact with the BASC 20T. The vulnerability has a CVSS v3.1 score of 9.8 and a CVSS v4.0 score of 9.3, highlighting the severity and potential impact. Successful exploitation could lead to unauthorized access, modification of settings, or disruption of operations managed by the BASC 20T. This vulnerability was reported by ICS-CERT and assigned CWE-807, which describes reliance on untrusted inputs in a security decision.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker performs network reconnaissance to identify a vulnerable Contemporary Controls BASC 20T device.\u003c/li\u003e\n\u003cli\u003eAttacker passively sniffs network traffic to and from the BASC 20T device.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes captured network packets to understand the communication protocol and packet structure used by the BASC 20T.\u003c/li\u003e\n\u003cli\u003eAttacker identifies fields within the packets that can be manipulated to achieve the desired malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a forged packet with modified fields to perform an arbitrary request (e.g., changing settings, issuing commands).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the forged packet into the network, targeting the BASC 20T device.\u003c/li\u003e\n\u003cli\u003eThe BASC 20T processes the forged packet without proper validation, executing the attacker\u0026rsquo;s arbitrary request.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized control or access to the BASC 20T, potentially disrupting operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-13926 allows an attacker to make arbitrary requests to the Contemporary Controls BASC 20T. This could lead to unauthorized modification of device settings, disruption of critical control processes, or potentially complete device compromise. The affected BASC 20T devices are often used in industrial control systems (ICS), so a successful attack could have significant consequences for the targeted organization, including operational downtime, equipment damage, or safety hazards.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns or malformed packets originating from or directed to Contemporary Controls BASC 20T devices (network_connection category).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential compromise.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect suspicious network activity related to forged packets targeting BASC 20T devices.\u003c/li\u003e\n\u003cli\u003eContact Contemporary Controls for available patches or mitigations for CVE-2025-13926 (references section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T20:16:23Z","date_published":"2026-04-09T20:16:23Z","id":"/briefs/2026-04-basc-20t-packet-forging/","summary":"CVE-2025-13926 describes a vulnerability in Contemporary Controls BASC 20T that allows an attacker to sniff network traffic and forge packets to make arbitrary requests, potentially leading to unauthorized actions.","title":"Contemporary Controls BASC 20T Packet Forging Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-basc-20t-packet-forging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["plc","denial-of-service","industrial-control-system","modicon"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 23, 2026, Team82 disclosed vulnerabilities affecting Schneider Electric\u0026rsquo;s Modicon M241, M251, and M262 programmable logic controllers (PLCs). These vulnerabilities, if exploited, can lead to a denial-of-service (DoS) condition, impacting the availability of the controller and potentially disrupting industrial processes. The Schneider Electric advisory SEVD-2026-069-01 addresses these issues, which were discovered by Claroty\u0026rsquo;s Team82. Successful exploitation could halt critical operations controlled by these PLCs, affecting various industrial sectors that rely on Schneider Electric\u0026rsquo;s automation solutions. Defenders should review the advisory and implement recommended mitigations to prevent potential disruptions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the limited details in the source, the following attack chain is based on common PLC DoS attack vectors:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies a Modicon PLC M241/M251/M262 on the target network, potentially through network scanning or passive reconnaissance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains unauthorized access to the PLC\u0026rsquo;s network, potentially through exploiting weak credentials, network misconfigurations, or vulnerabilities in related systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProtocol Exploitation:\u003c/strong\u003e The attacker leverages a vulnerability in the Modbus or other industrial protocol used by the PLC for communication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Command Injection:\u003c/strong\u003e The attacker crafts and sends a series of specially crafted Modbus commands designed to overload the PLC\u0026rsquo;s processing capabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Exhaustion:\u003c/strong\u003e The PLC attempts to process the malicious commands, leading to excessive CPU utilization, memory exhaustion, or other resource depletion.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial-of-Service:\u003c/strong\u003e The PLC becomes unresponsive and unable to execute its control logic, resulting in a denial-of-service condition. This affects the industrial process relying on the PLC.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProcess Disruption:\u003c/strong\u003e The industrial process controlled by the PLC halts or malfunctions due to the loss of control signals, leading to potential safety hazards, production losses, or equipment damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities results in a denial-of-service condition on the affected Schneider Electric Modicon PLCs. This can lead to disruption of industrial processes, potential equipment damage, and safety hazards. The exact impact depends on the specific application and the criticality of the controlled processes. Given the wide adoption of Modicon PLCs across various sectors, a successful attack could impact numerous organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview Schneider Electric\u0026rsquo;s advisory SEVD-2026-069-01 for detailed vulnerability information and recommended mitigations.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate PLCs and other critical industrial control systems.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious Modbus commands or other anomalous communication patterns related to the Modicon PLCs using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eRegularly audit and update PLC firmware to patch known vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T19:15:23Z","date_published":"2026-03-23T19:15:23Z","id":"/briefs/2024-05-modicon-dos/","summary":"Team82 disclosed vulnerabilities in Schneider Electric Modicon Controllers M241, M251, and M262 PLC lines, which can allow an attacker to cause a denial-of-service condition and affect controller availability.","title":"Schneider Electric Modicon PLC Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-05-modicon-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Industrial Control System","version":"https://jsonfeed.org/version/1.1"}