{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ot/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2025-10681"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2025-10681","hardcoded-credentials","ics-cert","ot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-10681 exposes a critical vulnerability stemming from the presence of hardcoded storage credentials within a mobile application and its corresponding device firmware. These credentials, unfortunately, lack sufficient restrictions on end-user permissions and are not configured to expire after a reasonable period. The affected systems are not explicitly mentioned, but the advisory was published by ICS-CERT implying the vulnerability exists within an Industrial Control System or similar operational technology environment. This flaw allows a malicious actor to bypass standard authentication mechanisms and directly access sensitive data stored within production storage containers, potentially causing significant data breaches and operational disruption. Defenders should prioritize identifying devices using default credentials, especially in OT environments where a compromise could have physical consequences.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the mobile application or device firmware through reverse engineering or by acquiring a compromised device.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the hardcoded storage credentials from the mobile app or firmware.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the extracted credentials to authenticate directly with the production storage container.\u003c/li\u003e\n\u003cli\u003eDue to the lack of adequate permission restrictions, the attacker gains read/write access to sensitive data within the storage container.\u003c/li\u003e\n\u003cli\u003eAttacker accesses sensitive data like configurations, process data, or customer data.\u003c/li\u003e\n\u003cli\u003eAttacker modifies sensitive data like configurations causing a denial of service, or operational disruption.\u003c/li\u003e\n\u003cli\u003eAttacker gains complete control over the storage container and potentially linked resources.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or uses it to further compromise the ICS/OT environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-10681 could lead to unauthorized access to critical production data, system configurations, and potentially other sensitive information. Depending on the scope of the storage container\u0026rsquo;s access, attackers could disrupt industrial processes, steal intellectual property, or hold data for ransom. Since this vulnerability relates to ICS/OT environments, compromise of production data could lead to equipment damage, environmental hazards, or safety issues.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the detection rule \u003ccode\u003eDetect Hardcoded Credentials in Mobile App/Firmware Unpacking\u003c/code\u003e to detect attempts to unpack or analyze application binaries or firmware images that may contain hardcoded credentials (logsource: file_event, process_creation).\u003c/li\u003e\n\u003cli\u003eExamine network traffic for authentication attempts to storage resources using unusual user agents or originating from unusual IP addresses that might indicate credential compromise, using the detection rule \u003ccode\u003eDetect Unusual Authentication to Storage Resources\u003c/code\u003e. (logsource: network_connection)\u003c/li\u003e\n\u003cli\u003eReview and update mobile application and device firmware development practices to eliminate the use of hardcoded credentials, referencing CWE-798 (Use of Hard-coded Credentials).\u003c/li\u003e\n\u003cli\u003eMonitor file access and modifications to production storage containers, looking for unusual activity that might indicate unauthorized access following exploitation of CVE-2025-10681 (logsource: file_event).\u003c/li\u003e\n\u003cli\u003eUse vulnerability scanning tools to identify devices and applications vulnerable to CVE-2025-10681.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T21:17:08Z","date_published":"2026-04-03T21:17:08Z","id":"/briefs/2026-04-hardcoded-credentials/","summary":"CVE-2025-10681 describes a vulnerability where hardcoded storage credentials in a mobile app and device firmware, with inadequate permission limits and lack of expiration, could lead to unauthorized access to production storage containers.","title":"Hardcoded Storage Credentials in Mobile App and Device Firmware (CVE-2025-10681)","url":"https://feed.craftedsignal.io/briefs/2026-04-hardcoded-credentials/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["codesys","dos","cve-2026-3509","ics","ot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3509 describes a format string vulnerability within the Audit Log of the CODESYS Control runtime system. This vulnerability allows an unauthenticated remote attacker to influence the format string of messages processed by the affected system. Successful exploitation of this vulnerability results in a denial-of-service (DoS) condition, impacting the availability of the CODESYS Control runtime system. The vulnerability was reported on March 24, 2026. CODESYS is a popular development…\u003c/p\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-codesys-dos/","summary":"An unauthenticated remote attacker can exploit CVE-2026-3509 in the CODESYS Control runtime system to control the format string of messages processed by the Audit Log, leading to a denial-of-service (DoS) condition.","title":"CODESYS Control Runtime System Audit Log DoS Vulnerability (CVE-2026-3509)","url":"https://feed.craftedsignal.io/briefs/2026-03-codesys-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ics","ot","vulnerability","denial-of-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChargemap chargemap.com is affected by multiple critical vulnerabilities that could allow attackers to gain unauthorized administrative control over charging stations or disrupt charging services. These vulnerabilities include missing authentication for critical functions (CVE-2026-25851), improper restriction of excessive authentication attempts (CVE-2026-20792), insufficient session expiration (CVE-2026-25711), and insufficiently protected credentials (CVE-2026-20791). The vulnerabilities affect all versions of Chargemap chargemap.com.  These flaws exist within the WebSocket API and the handling of charging station identifiers. Successful exploitation can lead to privilege escalation, data corruption, session hijacking, and denial-of-service conditions. The affected infrastructure sectors include energy and transportation systems, with deployments worldwide.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a publicly accessible Chargemap charging station identifier via web-based mapping platforms (CVE-2026-20791).\u003c/li\u003e\n\u003cli\u003eAttacker connects to the OCPP WebSocket endpoint of the targeted charging station using the discovered identifier without authentication (CVE-2026-25851).\u003c/li\u003e\n\u003cli\u003eAttacker exploits the lack of authentication to impersonate a legitimate charger.\u003c/li\u003e\n\u003cli\u003eAttacker floods the WebSocket API with authentication requests, leveraging the absence of rate limiting to conduct a denial-of-service attack (CVE-2026-20792).\u003c/li\u003e\n\u003cli\u003eAttacker hijacks a legitimate charging station session due to insufficient session expiration and predictable session identifiers (CVE-2026-25711).\u003c/li\u003e\n\u003cli\u003eAttacker sends malicious commands to the backend, disrupting the charging process and potentially damaging connected vehicles.\u003c/li\u003e\n\u003cli\u003eAttacker manipulates data sent to the backend, corrupting charging network data and potentially causing billing errors or safety issues.\u003c/li\u003e\n\u003cli\u003eAttacker gains full administrative control over the charging station, enabling them to modify settings, disable functionality, or use it as a pivot point to attack other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in widespread disruption of electric vehicle charging services, financial losses due to manipulated charging data, and potential damage to connected vehicles. Given the global deployment of Chargemap, a successful attack could affect numerous users and organizations in the energy and transportation sectors. Attackers could remotely disable charging stations, manipulate pricing, or even cause physical damage to charging infrastructure.  The lack of vendor response further exacerbates the potential impact, leaving users vulnerable without readily available patches or workarounds.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMinimize network exposure for Chargemap charging stations by ensuring they are not directly accessible from the internet as recommended by CISA.\u003c/li\u003e\n\u003cli\u003eLocate control system networks and remote devices behind firewalls, isolating them from business networks as per CISA guidance.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for excessive authentication attempts targeting Chargemap charging stations to detect potential denial-of-service attacks leveraging CVE-2026-20792. Implement rate limiting where possible.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated OCPP WebSocket Connections\u0026rdquo; to identify unauthorized connections to charging stations exploiting CVE-2026-25851.\u003c/li\u003e\n\u003cli\u003eContact Chargemap using their contact page (\u003ca href=\"https://chargemap.com/en-us/support\"\u003ehttps://chargemap.com/en-us/support\u003c/a\u003e) to inquire about available patches or mitigations for these vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-26T12:00:00Z","date_published":"2026-02-26T12:00:00Z","id":"/briefs/2026-02-chargemap-vulns/","summary":"Unauthenticated attackers can exploit multiple vulnerabilities in Chargemap's charging stations, including missing authentication, improper authentication attempt restrictions, insufficient session expiration, and unprotected credentials, potentially leading to unauthorized control and denial-of-service.","title":"Multiple Vulnerabilities in Chargemap Charging Stations","url":"https://feed.craftedsignal.io/briefs/2026-02-chargemap-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ics","ot","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in Johnson Controls, Inc. Frick Controls Quantum HD versions 10.22 and earlier. These vulnerabilities, including CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, and CVE-2026-21660, can be exploited to achieve pre-authentication remote code execution, information leaks, or denial of service. Given that Frick Controls Quantum HD is deployed worldwide, particularly in the Food and Agriculture sector, these vulnerabilities pose a significant risk. Johnson Controls recommends upgrading to Quantum HD Unity, version 12 or higher, to mitigate these risks. Versions 10.22 through 11 are no longer supported.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Frick Controls Quantum HD device exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted request to the device exploiting the input validation vulnerabilities (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658).\u003c/li\u003e\n\u003cli\u003eDue to the insufficient validation of input, the crafted request allows the attacker to inject malicious code into the system (CWE-78, CWE-94).\u003c/li\u003e\n\u003cli\u003eThe injected code is executed by the device, granting the attacker unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to perform further actions such as gaining access to sensitive information (information leak), or causing the device to crash (denial of service).\u003c/li\u003e\n\u003cli\u003eIf successful RCE is achieved, the attacker may use this to move laterally within the OT network.\u003c/li\u003e\n\u003cli\u003eThe attacker could then target other critical systems within the food and agriculture environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to severe consequences, especially in critical infrastructure sectors like Food and Agriculture. Attackers could remotely execute arbitrary code on the affected systems without authentication, potentially disrupting industrial processes, stealing sensitive data, or causing a complete shutdown of operations. With Quantum HD systems deployed globally, a widespread attack could affect numerous organizations, leading to significant financial losses and supply chain disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all Frick Controls Quantum HD devices to the latest platform, Quantum HD Unity, version 12 or higher, as recommended by Johnson Controls (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660).\u003c/li\u003e\n\u003cli\u003eAfter upgrading to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious requests targeting Frick Controls Quantum HD devices (Network Connection logs).\u003c/li\u003e\n\u003cli\u003eRefer to Johnson Controls Product Security Advisory JCI-PSA-2026-05 for more detailed mitigation instructions at \u003ca href=\"https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories\"\u003ehttps://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-26T12:00:00Z","date_published":"2026-02-26T12:00:00Z","id":"/briefs/2026-02-quantum-hd-vulns/","summary":"Multiple vulnerabilities in Johnson Controls, Inc. Frick Controls Quantum HD versions \u003c=10.22 can lead to pre-authentication remote code execution, information leak, or denial of service.","title":"Johnson Controls Frick Controls Quantum HD Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-02-quantum-hd-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Ot","version":"https://jsonfeed.org/version/1.1"}