Ot

Multiple high-severity vulnerabilities, including CVE-2025-15467, affect various Siemens SCALANCE LPE, M, W, and X series industrial network devices, potentially allowing a remote attacker to achieve arbitrary code execution, provoke a denial of service, or compromise data confidentiality, with some products confirmed to receive no future patches.

A request smuggling vulnerability exists in Siemens SENTRON 7KT PAC1261 Data Manager before V2.1.0, due to the web server improperly accepting a bare LF as a line terminator in chunked data chunk-size lines, potentially allowing an attacker to retrieve authorization tokens and gain administrative control over the device.

Schneider Electric published advisories on May 12, 2026, addressing vulnerabilities in multiple products including Ecostruxure Machine Expert HVAC, Easergy MiCOM C264, Easergy C5, Easergy MiCOM P30, Easergy MiCOM P40, EcoStruxure Power Automation System, iPMFLS, PowerLogic, Saitel DP, EasyLogic T150, EasyLogic T150 Remote Terminal Unit and Controller, Saitel DP Remote Terminal Unit and Controller, EcoStruxure Panel Server PAS400, PAS600, PAS600V2, PAS800, PAS800V2 and Easergy MiCOM Px40 Series related to clear text storage, insufficient entropy, improper path restrictions and insecure defaults.

An unidentified threat actor used Claude AI to identify and target a vNode SCADA/IIoT management interface at a Mexican water utility between December 2025 and February 2026, ultimately failing to gain access.

CISA published ICS advisories addressing vulnerabilities in multiple ABB products including AWIN Gateways, Ability OPTIMAX, Symphony Plus Engineering, Edgenius Management Portal, PCM600, System 800xA, Symphony Plus IEC 61850, and NSA GRASSMARLIN, prompting users to apply mitigations and updates.

CVE-2025-10681 describes a vulnerability where hardcoded storage credentials in a mobile app and device firmware, with inadequate permission limits and lack of expiration, could lead to unauthorized access to production storage containers.

An unauthenticated remote attacker can exploit CVE-2026-3509 in the CODESYS Control runtime system to control the format string of messages processed by the Audit Log, leading to a denial-of-service (DoS) condition.

Unauthenticated attackers can exploit multiple vulnerabilities in Chargemap's charging stations, including missing authentication, improper authentication attempt restrictions, insufficient session expiration, and unprotected credentials, potentially leading to unauthorized control and denial-of-service.

Multiple vulnerabilities in Johnson Controls, Inc. Frick Controls Quantum HD versions <=10.22 can lead to pre-authentication remote code execution, information leak, or denial of service.