https://feed.craftedsignal.io/tags/ot/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 03 Apr 2026 21:17:08 +0000https://feed.craftedsignal.io/briefs/2026-04-hardcoded-credentials/Fri, 03 Apr 2026 21:17:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-hardcoded-credentials/CVE-2025-10681 describes a vulnerability where hardcoded storage credentials in a mobile app and device firmware, with inadequate permission limits and lack of expiration, could lead to unauthorized access to production storage containers.CVE-2025-10681 exposes a critical vulnerability stemming from the presence of hardcoded storage credentials within a mobile application and its corresponding device firmware. These credentials, unfortunately, lack sufficient restrictions on end-user permissions and are not configured to expire after a reasonable period. The affected systems are not explicitly mentioned, but the advisory was published by ICS-CERT implying the vulnerability exists within an Industrial Control System or similar operational technology environment. This flaw allows a malicious actor to bypass standard authentication mechanisms and directly access sensitive data stored within production storage containers, potentially causing significant data breaches and operational disruption. Defenders should prioritize identifying devices using default credentials, especially in OT environments where a compromise could have physical consequences.

Attack Chain

1. Attacker gains access to the mobile application or device firmware through reverse engineering or by acquiring a compromised device.
2. Attacker extracts the hardcoded storage credentials from the mobile app or firmware.
3. Attacker leverages the extracted credentials to authenticate directly with the production storage container.
4. Due to the lack of adequate permission restrictions, the attacker gains read/write access to sensitive data within the storage container.
5. Attacker accesses sensitive data like configurations, process data, or customer data.
6. Attacker modifies sensitive data like configurations causing a denial of service, or operational disruption.
7. Attacker gains complete control over the storage container and potentially linked resources.
8. The attacker exfiltrates sensitive data or uses it to further compromise the ICS/OT environment.

Impact

Successful exploitation of CVE-2025-10681 could lead to unauthorized access to critical production data, system configurations, and potentially other sensitive information. Depending on the scope of the storage container’s access, attackers could disrupt industrial processes, steal intellectual property, or hold data for ransom. Since this vulnerability relates to ICS/OT environments, compromise of production data could lead to equipment damage, environmental hazards, or safety issues.

Recommendation

• Implement the detection rule Detect Hardcoded Credentials in Mobile App/Firmware Unpacking to detect attempts to unpack or analyze application binaries or firmware images that may contain hardcoded credentials (logsource: file_event, process_creation).
• Examine network traffic for authentication attempts to storage resources using unusual user agents or originating from unusual IP addresses that might indicate credential compromise, using the detection rule Detect Unusual Authentication to Storage Resources. (logsource: network_connection)
• Review and update mobile application and device firmware development practices to eliminate the use of hardcoded credentials, referencing CWE-798 (Use of Hard-coded Credentials).
• Monitor file access and modifications to production storage containers, looking for unusual activity that might indicate unauthorized access following exploitation of CVE-2025-10681 (logsource: file_event).
• Use vulnerability scanning tools to identify devices and applications vulnerable to CVE-2025-10681.

]]>highadvisorycve-2025-10681hardcoded-credentialsics-certothttps://feed.craftedsignal.io/briefs/2026-03-codesys-dos/Wed, 25 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-codesys-dos/An unauthenticated remote attacker can exploit CVE-2026-3509 in the CODESYS Control runtime system to control the format string of messages processed by the Audit Log, leading to a denial-of-service (DoS) condition.<p>CVE-2026-3509 describes a format string vulnerability within the Audit Log of the CODESYS Control runtime system. This vulnerability allows an unauthenticated remote attacker to influence the format string of messages processed by the affected system. Successful exploitation of this vulnerability results in a denial-of-service (DoS) condition, impacting the availability of the CODESYS Control runtime system. The vulnerability was reported on March 24, 2026. CODESYS is a popular development…</p> highadvisorycodesysdoscve-2026-3509icsothttps://feed.craftedsignal.io/briefs/2026-02-chargemap-vulns/Thu, 26 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-chargemap-vulns/Unauthenticated attackers can exploit multiple vulnerabilities in Chargemap's charging stations, including missing authentication, improper authentication attempt restrictions, insufficient session expiration, and unprotected credentials, potentially leading to unauthorized control and denial-of-service.Chargemap chargemap.com is affected by multiple critical vulnerabilities that could allow attackers to gain unauthorized administrative control over charging stations or disrupt charging services. These vulnerabilities include missing authentication for critical functions (CVE-2026-25851), improper restriction of excessive authentication attempts (CVE-2026-20792), insufficient session expiration (CVE-2026-25711), and insufficiently protected credentials (CVE-2026-20791). The vulnerabilities affect all versions of Chargemap chargemap.com. These flaws exist within the WebSocket API and the handling of charging station identifiers. Successful exploitation can lead to privilege escalation, data corruption, session hijacking, and denial-of-service conditions. The affected infrastructure sectors include energy and transportation systems, with deployments worldwide.

Attack Chain

1. Attacker identifies a publicly accessible Chargemap charging station identifier via web-based mapping platforms (CVE-2026-20791).
2. Attacker connects to the OCPP WebSocket endpoint of the targeted charging station using the discovered identifier without authentication (CVE-2026-25851).
3. Attacker exploits the lack of authentication to impersonate a legitimate charger.
4. Attacker floods the WebSocket API with authentication requests, leveraging the absence of rate limiting to conduct a denial-of-service attack (CVE-2026-20792).
5. Attacker hijacks a legitimate charging station session due to insufficient session expiration and predictable session identifiers (CVE-2026-25711).
6. Attacker sends malicious commands to the backend, disrupting the charging process and potentially damaging connected vehicles.
7. Attacker manipulates data sent to the backend, corrupting charging network data and potentially causing billing errors or safety issues.
8. Attacker gains full administrative control over the charging station, enabling them to modify settings, disable functionality, or use it as a pivot point to attack other systems.

Impact

Successful exploitation of these vulnerabilities could result in widespread disruption of electric vehicle charging services, financial losses due to manipulated charging data, and potential damage to connected vehicles. Given the global deployment of Chargemap, a successful attack could affect numerous users and organizations in the energy and transportation sectors. Attackers could remotely disable charging stations, manipulate pricing, or even cause physical damage to charging infrastructure. The lack of vendor response further exacerbates the potential impact, leaving users vulnerable without readily available patches or workarounds.

Recommendation

• Minimize network exposure for Chargemap charging stations by ensuring they are not directly accessible from the internet as recommended by CISA.
• Locate control system networks and remote devices behind firewalls, isolating them from business networks as per CISA guidance.
• Monitor network traffic for excessive authentication attempts targeting Chargemap charging stations to detect potential denial-of-service attacks leveraging CVE-2026-20792. Implement rate limiting where possible.
• Deploy the Sigma rule “Detect Unauthenticated OCPP WebSocket Connections” to identify unauthorized connections to charging stations exploiting CVE-2026-25851.
• Contact Chargemap using their contact page (https://chargemap.com/en-us/support) to inquire about available patches or mitigations for these vulnerabilities.

]]>criticaladvisoryicsotvulnerabilitydenial-of-servicehttps://feed.craftedsignal.io/briefs/2026-02-quantum-hd-vulns/Thu, 26 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-quantum-hd-vulns/Multiple vulnerabilities in Johnson Controls, Inc. Frick Controls Quantum HD versions <=10.22 can lead to pre-authentication remote code execution, information leak, or denial of service.Multiple vulnerabilities have been identified in Johnson Controls, Inc. Frick Controls Quantum HD versions 10.22 and earlier. These vulnerabilities, including CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, and CVE-2026-21660, can be exploited to achieve pre-authentication remote code execution, information leaks, or denial of service. Given that Frick Controls Quantum HD is deployed worldwide, particularly in the Food and Agriculture sector, these vulnerabilities pose a significant risk. Johnson Controls recommends upgrading to Quantum HD Unity, version 12 or higher, to mitigate these risks. Versions 10.22 through 11 are no longer supported.

Attack Chain

1. An attacker identifies a vulnerable Frick Controls Quantum HD device exposed to the network.
2. The attacker sends a specially crafted request to the device exploiting the input validation vulnerabilities (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658).
3. Due to the insufficient validation of input, the crafted request allows the attacker to inject malicious code into the system (CWE-78, CWE-94).
4. The injected code is executed by the device, granting the attacker unauthorized access.
5. The attacker leverages the code execution to perform further actions such as gaining access to sensitive information (information leak), or causing the device to crash (denial of service).
6. If successful RCE is achieved, the attacker may use this to move laterally within the OT network.
7. The attacker could then target other critical systems within the food and agriculture environment.

Impact

Successful exploitation of these vulnerabilities can lead to severe consequences, especially in critical infrastructure sectors like Food and Agriculture. Attackers could remotely execute arbitrary code on the affected systems without authentication, potentially disrupting industrial processes, stealing sensitive data, or causing a complete shutdown of operations. With Quantum HD systems deployed globally, a widespread attack could affect numerous organizations, leading to significant financial losses and supply chain disruptions.

Recommendation

• Immediately upgrade all Frick Controls Quantum HD devices to the latest platform, Quantum HD Unity, version 12 or higher, as recommended by Johnson Controls (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660).
• After upgrading to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.
• Monitor network traffic for suspicious requests targeting Frick Controls Quantum HD devices (Network Connection logs).
• Refer to Johnson Controls Product Security Advisory JCI-PSA-2026-05 for more detailed mitigation instructions at https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories.

]]>criticaladvisoryicsotvulnerability