Skip to main content
(844) 422-7000

Author: Admin @CloudCentric

Honeywell IQ4x BMS Controller

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Successful exploitation of this vulnerability could allow an unauthorized attacker to access controller management settings, control components, disclose information, or cause a denial-of-service condition.

The following versions of Honeywell IQ4x BMS Controller are affected:

  • IQ4E >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
  • IQ412 >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
  • IQ422 >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
  • IQ4NC >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
  • IQ41x >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
  • IQ3 >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
  • IQECO >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9 (CVE-2026-3611)
CVSS Vendor Equipment Vulnerabilities
v3 10 Honeywell Honeywell IQ4x BMS Controller Missing Authentication for Critical Function

Background

  • Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Government Services and Facilities, Healthcare and Public Health
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: United States

Vulnerabilities

Expand All +

CVE-2026-3611

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.

View CVE Details

Affected Products

Honeywell IQ4x BMS Controller
Vendor:
Honeywell
Product Version:
Honeywell IQ4E: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ412: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ422: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ4NC: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ41x: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQ3: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9, Honeywell IQECO: >=Firmware_v3.50_3.44|<4.36_build_4.3.7.9
Product Status:
known_affected
Remediations

Mitigation
Honeywell is aware of the issue, but has not released a fix. For more information, contact Honeywell directly. https://www.honeywell.com/us/en/contact.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 10 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Acknowledgments

  • Gjoko Krstic of Zero Science reported this vulnerability to Honeywell

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

Revision History

  • Initial Release Date: 2026-03-10
Date Revision Summary
2026-03-10 1 Initial Publication

Legal Notice and Terms of Use

Ceragon Siklu MultiHaul and EtherHaul Series

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Successful exploitation of this vulnerability could result in arbitrary file upload to the target equipment.

The following versions of Ceragon Siklu MultiHaul and EtherHaul Series are affected:

  • MultiHaul MH-B100-CCS
  • MultiHaul MH-T200-CCC
  • MultiHaul MH-T200-CNN
  • MultiHaul MH-T201-CNN
  • EtherHaul EH-8010FX
  • EtherHaul EH-500TX
  • EtherHaul EH-600TX
  • EtherHaul EH-614TX
  • EtherHaul EH-700TX
  • EtherHaul EH-710TX
  • EtherHaul EH-1200TX
  • EtherHaul EH-1200FX
  • EtherHaul EH-2200FX
  • EtherHaul EH-2500FX
  • EtherHaul EH-5500FD
CVSS Vendor Equipment Vulnerabilities
v3 5.3 Ceragon Ceragon Siklu MultiHaul and EtherHaul Series Unrestricted Upload of File with Dangerous Type

Background

  • Critical Infrastructure Sectors: Communications
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Israel

Vulnerabilities

Expand All +

CVE-2025-57176

The rfpiped service on TCP port 555 in Ceragon Networks / Siklu Communication EtherHaul and MultiHaul Series microwave antennas allow unauthenticated file uploads to any writable location on the device. File upload packets use weak encryption (metadata only) with file contents transmitted in cleartext. No authentication or path validation is performed.

View CVE Details

Affected Products

Ceragon Siklu MultiHaul and EtherHaul Series
Vendor:
Ceragon
Product Version:
Ceragon MultiHaul MH-B100-CCS: <R2.4.0, Ceragon MultiHaul MH-T200-CCC: <R2.4.0, Ceragon MultiHaul MH-T200-CNN: <R2.4.0, Ceragon MultiHaul MH-T201-CNN: <R2.4.0, Ceragon EtherHaul EH-8010FX: <R10.8.1, Ceragon EtherHaul EH-500TX: <R7.7.12, Ceragon EtherHaul EH-600TX: <R7.7.12, Ceragon EtherHaul EH-614TX: <R7.7.12, Ceragon EtherHaul EH-700TX: <R7.7.12, Ceragon EtherHaul EH-710TX: <R7.7.12, Ceragon EtherHaul EH-1200TX: <R7.7.12, Ceragon EtherHaul EH-1200FX: <R7.7.12, Ceragon EtherHaul EH-2200FX: <R7.7.12, Ceragon EtherHaul EH-2500FX: <R7.7.12, Ceragon EtherHaul EH-5500FD: <R7.7.12
Product Status:
known_affected
Remediations

Vendor fix
Ceragon has released a software update for the affected models:

Vendor fix
Affected users should install firmware version R2.4.0 for affected MultiHaul models.

Vendor fix
Affected users should install firmware version R10.8.1 for the affected EH-8010FX model.

Vendor fix
Affected users should install firmware version R7.7.12 for other affected EtherHaul models.

Mitigation
Additionally Ceragon has provided the following security recommendations for mitigating the listed vulnerability. To prevent exposure, management access must follow standard operator security guidelines:

Mitigation
Management IP addresses must use private subnets (RFC 1918)

Mitigation
Management networks must be protected by: *-* Firewalls *-* Access Control Lists *-* Network Access Translation / Secure management domains

Mitigation
Firewalls

Mitigation
Access Control Lists

Mitigation
Network Access Translation / Secure management domains

Mitigation
Public exposure of management IP Addresses is not supported nor recommendedCeragon requests that affected users please verify that all affected radio units:

Mitigation
Use private management IP addresses only

Mitigation
Are placed behind internal security controls

Mitigation
Follow your organization’s authentication and access-control policies

Mitigation
Please visit the Ceragon portal here: https://portal.ceragon.com/ (login required) for further information.

Relevant CWE: CWE-434 Unrestricted Upload of File with Dangerous Type

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Acknowledgments

  • CISA discovered a public Proof of Concept (PoC) as authored by semaja22 and reported it to Ceragon

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this (these) vulnerability(ies), such as:

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

Revision History

  • Initial Release Date: 2026-03-10
Date Revision Summary
2026-03-10 1 Initial Publication

Legal Notice and Terms of Use

Delta Electronics CNCSoft-G2

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Successful exploitation of this vulnerability could result in an attacker achieving remote code execution on the device.

The following versions of Delta Electronics CNCSoft-G2 are affected:

  • CNCSoft-G2
CVSS Vendor Equipment Vulnerabilities
v3 7.8 Delta Electronics Delta Electronics CNCSoft-G2 Out-of-bounds Write

Background

  • Critical Infrastructure Sectors: Critical Manufacturing
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Taiwan

Vulnerabilities

Expand All +

CVE-2026-3094

Delta Electronics CNCSoft-G2 devices prior to version V2.1.0.39 are vulnerable to an Out-of-Bounds Write while parsing DPAX files in the DOPSoft component.

View CVE Details

Affected Products

Delta Electronics CNCSoft-G2
Vendor:
Delta Electronics
Product Version:
Delta Electronics CNCSoft-G2: <V2.1.0.39
Product Status:
known_affected
Remediations

Mitigation
Delta Electronics recommends users update to Version 2.1.0.39, which has resolved this vulnerability. The update can be obtained from the Delta Electronics download center at https://downloadcenter.deltaww.com/en-US/DownloadCenter?v=1&q=cncsoft&sort_expr=cdate&sort_dir=DESC.

Mitigation
For more information, see the associated Delta Electronics security advisory Delta-PCSA-2026-00004 which can be downloaded in PDF format here: https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00004_CNCSoft-G2_File%20Parsing%20Out-Of-Bounds%20Write.pdf

Relevant CWE: CWE-787 Out-of-bounds Write

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Acknowledgments

  • Natnael Samson (@NattiSamson) of TrendAI Zero Day Initiative reported this vulnerability to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

Revision History

  • Initial Release Date: 2026-03-05
Date Revision Summary
2026-03-05 1 Initial Republication of Delta Electronics Delta-PCSA-2026-00004 advisory

Legal Notice and Terms of Use

Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet module

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Successful exploitation of these vulnerabilities could allow a remote attacker to cause a denial-of-service condition by continuously sending UDP packets to the affected products.

The following versions of Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet module are affected:

  • MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP <=1.106, vers:all/* (CVE-2026-1874, CVE-2026-1876)
  • MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP vers:all/* (CVE-2026-1874, CVE-2026-1875)
CVSS Vendor Equipment Vulnerabilities
v3 7.5 Mitsubishi Electric Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet module Always-Incorrect Control Flow Implementation, Improper Resource Shutdown or Release

Background

  • Critical Infrastructure Sectors: Critical Manufacturing
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Japan

Vulnerabilities

Expand All +

CVE-2026-1874

An always-incorrect control flow implementation vulnerability may allow a remote attacker to cause a denial-of-service condition by continuously sending UDP packets to the affected products.

View CVE Details

Affected Products

Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet module
Vendor:
Mitsubishi Electric
Product Version:
Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP: <=1.106, Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP: vers:all/*
Product Status:
known_affected
Remediations

Vendor fix
Users of FX5-ENET/IP versions 1.106 and prior should download the update file for version 1.107 or later and apply it. The update file is available at: https://www.mitsubishielectric.com/fa/download/index.html.

Mitigation
The fixed version for the FX5-EIP is scheduled to be released in the near future. In the meantime, users should apply mitigations or workarounds.

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using a firewall, virtual private network (VPN), etc. and preventing unauthorized access when internet access is required, to minimize the risk of exploiting this vulnerability.

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using the affected product within a LAN and blocking access from untrusted networks and hosts through firewalls, to minimize the risk of exploiting this vulnerability.

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using the IP filter function of the affected product and blocking access from untrusted hosts, to minimize the risk of exploiting this vulnerability. For details on the IP filter function, refer to “13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication).

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends restricting physical access to the affected product, as well as to PCs and network devices to which it is connected, to minimize the risk of exploiting this vulnerability.

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends installing anti-virus software on PCs that can access the affected product, to minimize the risk of exploiting this vulnerability.

Mitigation
For more information, see Mitsubishi Electric 2025-021. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdf

Relevant CWE: CWE-670 Always-Incorrect Control Flow Implementation

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-1875

An improper resource shutdown or release vulnerability in the affected products may allow a remote attacker to cause a denial-of-service condition by continuously sending UDP packets.

View CVE Details

Affected Products

Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet module
Vendor:
Mitsubishi Electric
Product Version:
Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP: vers:all/*
Product Status:
known_affected
Remediations

Mitigation
The fixed version for the FX5-EIP is scheduled to be released in the near future. In the meantime, users should apply mitigations or workarounds.

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using a firewall, virtual private network (VPN), etc. and preventing unauthorized access when internet access is required, to minimize the risk of exploiting this vulnerability.

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using the affected product within a LAN and blocking access from untrusted networks and hosts through firewalls, to minimize the risk of exploiting this vulnerability.

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using the IP filter function of the affected product and blocking access from untrusted hosts, to minimize the risk of exploiting this vulnerability. For details on the IP filter function, refer to “13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication).

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends restricting physical access to the affected product, as well as to PCs and network devices to which it is connected, to minimize the risk of exploiting this vulnerability.

Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends installing anti-virus software on PCs that can access the affected product, to minimize the risk of exploiting this vulnerability.

Mitigation
For more information, see Mitsubishi Electric 2025-021. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdf

Relevant CWE: CWE-404 Improper Resource Shutdown or Release

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-1876

An improper resource shutdown or release vulnerability may allow a remote attacker to cause a denial-of-service condition in the affected products by continuously sending UDP packets.

View CVE Details

Affected Products

Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet module
Vendor:
Mitsubishi Electric
Product Version:
Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP: vers:all/*
Product Status:
known_affected
Remediations

No fix planned
Users should apply mitigations or workarounds since there are no plans to release a fixed version.

Mitigation
For users of products that do not have a fixed version, Mitsubishi Electric recommends using a firewall, virtual private network (VPN), etc. and preventing unauthorized access when internet access is required, to minimize the risk of exploiting this vulnerability.

Mitigation
For users of products that do not have a fixed version, Mitsubishi Electric recommends using the affected product within a LAN and blocking access from untrusted networks and hosts through firewalls, to minimize the risk of exploiting this vulnerability.

Mitigation
For users of products that do not have a fixed version, Mitsubishi Electric recommends using the IP filter function of the affected product and blocking access from untrusted hosts, to minimize the risk of exploiting this vulnerability. For details on the IP filter function, refer to “13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication).

Mitigation
For users of products that do not have a fixed version, Mitsubishi Electric recommends restricting physical access to the affected product, as well as to PCs and network devices to which it is connected, to minimize the risk of exploiting this vulnerability.

Mitigation
For users of products that do not have a fixed version, Mitsubishi Electric recommends installing anti-virus software on PCs that can access the affected product, to minimize the risk of exploiting this vulnerability.

Mitigation
For more information, see Mitsubishi Electric 2025-021. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdf

Relevant CWE: CWE-404 Improper Resource Shutdown or Release

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Acknowledgments

  • Mitsubishi Electric reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this notification (https://www.cisa.gov/notification) and this privacy & use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Advisory Conversion Disclaimer

This ICSA is a republication of Mitsubishi Electric security advisory “2025-021 Multiple denial-of-service vulnerabilities in Ethernet function of MELSEC iQ-F Series EtherNet/IP module and Ethernet module” from a direct conversion of the vendor’s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA’s website as a means of increasing visibility and is provided “as-is” for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact CISA directly for any questions regarding this advisory.

Revision History

  • Initial Release Date: 2026-03-03
Date Revision Summary
2026-03-03 1 Initial Publication
2026-03-03 2 Initial CISA Republication of Mitsubishi Electric security advisory 2025-021

Legal Notice and Terms of Use

Hitachi Energy Relion REB500 Product

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Hitachi Energy is aware of vulnerabilities that affect the Relion REB500 product versions listed in this document. Authenticated users with certain roles can exploit the vulnerabilities to access and modify the directory contents they are not authorized to do so. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.

The following versions of Hitachi Energy Relion REB500 Product are affected:

  • Relion REB500 vers:Relion_REB500/<=8.3.3.0 (CVE-2026-2459, CVE-2026-2460)
CVSS Vendor Equipment Vulnerabilities
v3 6.8 Hitachi Energy Hitachi Energy Relion REB500 Product Privilege Defined With Unsafe Actions

Background

  • Critical Infrastructure Sectors: Energy
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Switzerland

Vulnerabilities

Expand All +

CVE-2026-2459

A vulnerability exists in REB500 for an authenticated user with Installer role to access and alter the contents of directories that the role is not authorized to do so.

View CVE Details

Affected Products

Hitachi Energy Relion REB500 Product
Vendor:
Hitachi Energy
Product Version:
REB500 versions 8.3.3.0 and prior
Product Status:
known_affected
Remediations

Vendor fix
Hitachi Energy recommends that users update to version 8.3.3.1.

Mitigation
For CVE-2026-2459, as a mitigation strategy, users may also disable the Installer role and enable it only during the firmware update process.

Relevant CWE: CWE-267 Privilege Defined With Unsafe Actions

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE-2026-2460

A vulnerability exists in REB500 for an authenticated user with low-level privileges to access and alter the content of directories by using the DAC protocol that the user is not authorized to do so.

View CVE Details

Affected Products

Hitachi Energy Relion REB500 Product
Vendor:
Hitachi Energy
Product Version:
REB500 versions 8.3.3.0 and prior
Product Status:
known_affected
Remediations

Vendor fix
Update to version 8.3.3.1

Mitigation
Apply general mitigation factors

Relevant CWE: CWE-267 Privilege Defined With Unsafe Actions

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Acknowledgments

  • Hitachi Energy reported this vulnerability to CISA.

Notice

The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.

Support

For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.

General Mitigation Factors

Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed.

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolate them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Advisory Conversion Disclaimer

This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000217 from a direct conversion of the vendor’s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA’s website as a means of increasing visibility and is provided “as-is” for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory.

Revision History

  • Initial Release Date: 2026-02-24
Date Revision Summary
2026-02-24 1 Initial public release
2026-03-03 2 Initial CISA Republication of Hitachi Energy PSIRT 8DBD000217 advisory

Legal Notice and Terms of Use

Hitachi Energy RTU500 Product

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Hitachi Energy is aware of vulnerabilities that affect RTU500 product versions listed in this document. Successful exploitation of these vulnerabilities can result in the exposure of low-value user management information and device outage. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.

The following versions of Hitachi Energy RTU500 Product are affected:

  • RTU500 series CMU Firmware vers:RTU500_series_CMU_Firmware/>=12.7.1|<=12.7.7, vers:RTU500_series_CMU_Firmware/>=13.5.1|<=13.5.4, vers:RTU500_series_CMU_Firmware/>=13.6.1|<=13.6.2, vers:RTU500_series_CMU_Firmware/>=13.7.1|<=13.7.7, 13.8.1 
CVSS Vendor Equipment Vulnerabilities
v3 7.5 Hitachi Energy Hitachi Energy RTU500 Product Improper Handling of Insufficient Permissions or Privileges , Incomplete List of Disallowed Inputs, Uncontrolled Recursion, Allocation of Resources Without Limits or Throttling

Background

  • Critical Infrastructure Sectors: Critical Manufacturing
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Switzerland

Vulnerabilities

Expand All +

CVE-2026-1772

RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.

View CVE Details

Affected Products

Hitachi Energy RTU500 Product
Vendor:
Hitachi Energy
Product Version:
RTU500 series CMU Firmware version 12.7.1 through 12.7.7, RTU500 series CMU Firmware version 13.5.1 through 13.5.4, RTU500 series CMU Firmware version 13.6.1 through 13.6.2, RTU500 series CMU Firmware version 13.7.1 through 13.7.7, RTU500 series CMU Firmware version 13.8.1
Product Status:
known_affected
Remediations

Vendor fix
Update to CMU Firmware version 12.7.8

Mitigation
Follow general mitigation factors/workarounds

Vendor fix
Update to CMU Firmware version 13.7.8 or latest

Vendor fix
Update to CMU Firmware version 13.8.2

Relevant CWE: CWE-280 Improper Handling of Insufficient Permissions or Privileges

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE-2026-1773

IEC 60870-5-104: Potential Denial of Service impact on reception of invalid U-format frame. Product is only affected if IEC 60870-5-104 bi-directional functionality is configured. Enabling secure communication following IEC 62351-3 does not remediate the vulnerability but mitigates the risk of exploitation.

View CVE Details

Affected Products

Hitachi Energy RTU500 Product
Vendor:
Hitachi Energy
Product Version:
RTU500 series CMU Firmware version 12.7.1 through 12.7.7, RTU500 series CMU Firmware version 13.5.1 through 13.5.4, RTU500 series CMU Firmware version 13.6.1 through 13.6.2, RTU500 series CMU Firmware version 13.7.1 through 13.7.7, RTU500 series CMU Firmware version 13.8.1
Product Status:
known_affected
Remediations

Vendor fix
Update to CMU Firmware version 12.7.8

Mitigation
Follow general mitigation factors/workarounds

Vendor fix
Update to CMU Firmware version 13.7.8 or latest

Vendor fix
Update to CMU Firmware version 13.8.2

Relevant CWE: CWE-184 Incomplete List of Disallowed Inputs

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2024-8176

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. Product is only affected if IEC61850 functionality is configured.

View CVE Details

Affected Products

Hitachi Energy RTU500 Product
Vendor:
Hitachi Energy
Product Version:
RTU500 series CMU Firmware version 12.7.1 through 12.7.7, RTU500 series CMU Firmware version 13.5.1 through 13.5.4, RTU500 series CMU Firmware version 13.6.1 through 13.6.2, RTU500 series CMU Firmware version 13.7.1 through 13.7.7, RTU500 series CMU Firmware version 13.8.1
Product Status:
known_affected
Remediations

Vendor fix
Update to CMU Firmware version 12.7.8

Mitigation
Follow general mitigation factors/workarounds

Vendor fix
Update to CMU Firmware version 13.7.8 or latest

Vendor fix
Update to CMU Firmware version 13.8.2

Relevant CWE: CWE-674 Uncontrolled Recursion

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2025-59375

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. Product is only affected if IEC61850 functionality is configured.

View CVE Details

Affected Products

Hitachi Energy RTU500 Product
Vendor:
Hitachi Energy
Product Version:
RTU500 series CMU Firmware version 12.7.1 through 12.7.7, RTU500 series CMU Firmware version 13.5.1 through 13.5.4, RTU500 series CMU Firmware version 13.6.1 through 13.6.2, RTU500 series CMU Firmware version 13.7.1 through 13.7.7, RTU500 series CMU Firmware version 13.8.1
Product Status:
known_affected
Remediations

Vendor fix
Update to CMU Firmware version 12.7.8

Mitigation
Follow general mitigation factors/workarounds

Vendor fix
Update to CMU Firmware version 13.7.8 or latest

Vendor fix
Update to CMU Firmware version 13.8.2

Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Acknowledgments

  • Hitachi Energy PSIRT reported these vulnerabilities to CISA.

Notice

The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.

Support

For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.

General Mitigation Factors

Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed.

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolate them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Advisory Conversion Disclaimer

This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000237 from a direct conversion of the vendor’s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA’s website as a means of increasing visibility and is provided “as-is” for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory.

Revision History

  • Initial Release Date: 2026-02-24
Date Revision Summary
2026-02-24 1 Initial public release
2026-03-03 2 Initial CISA Republication of Hitachi Energy PSIRT 8DBD000237 advisory

Legal Notice and Terms of Use

Portwell Engineering Toolkits

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Successful exploitation of this vulnerability could allow a local attacker to escalate privileges or cause a denial-of-service condition.

The following versions of Portwell Engineering Toolkits are affected:

  • Portwell Engineering Toolkits 4.8.2
CVSS Vendor Equipment Vulnerabilities
v3 8.8 Portwell Portwell Engineering Toolkits Improper Restriction of Operations within the Bounds of a Memory Buffer

Background

  • Critical Infrastructure Sectors: Critical Manufacturing, Energy
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Taiwan

Vulnerabilities

Expand All +

CVE-2026-3437

An Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Portwell Engineering Toolkits version 4.8.2 could allow a local authenticated attacker to read and write to arbitrary memory via the Portwell Engineering Toolkits driver. Successful exploitation of this vulnerability could result in escalation of privileges or cause a denial-of-service condition.

View CVE Details

Affected Products

Portwell Engineering Toolkits
Vendor:
Portwell
Product Version:
Portwell Portwell Engineering Toolkits: 4.8.2
Product Status:
known_affected
Remediations

Vendor fix
Portwell has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of Portwell Engineering Toolkits are invited to contact Portwell customer support (https://portwell.com/support.php) for additional information.

Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Acknowledgments

  • Jason Huang of Cyber Threat & Product Defense Center of TXOne Networks Inc. reported this vulnerability to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

Revision History

  • Initial Release Date: 2026-03-03
Date Revision Summary
2026-03-03 1 Initial Publication

Legal Notice and Terms of Use

Labkotec LID-3300IP

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Successful exploitation of this vulnerability could allow attackers to gain unauthorized control over system operations, leading to disruption of normal functionality and potential safety hazards.

The following versions of Labkotec LID-3300IP are affected:

  • LID-3300IP vers:all/*
  • LID-3300IP Type 2
CVSS Vendor Equipment Vulnerabilities
v3 9.4 Labkotec Labkotec LID-3300IP Missing Authentication for Critical Function

Background

  • Critical Infrastructure Sectors: Communications, Energy
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Finland

Vulnerabilities

Expand All +

CVE-2026-1775

The Labkotec LID-3300IP has an existing vulnerability in the ice detector software that enables an unauthenticated attacker to alter device parameters and run operational commands when specially crafted packets are sent to the device.

View CVE Details

Affected Products

Labkotec LID-3300IP
Vendor:
Labkotec
Product Version:
Labkotec LID-3300IP: vers:all/*, Labkotec LID-3300IP Type 2: <V2.20
Product Status:
known_affected
Remediations

Vendor fix
Labkotec reports that it is not possible to implement secure and encrypted network traffic on the LID-3300IP. For this reason, Labkotec recommends updating ice detectors to the LID-3300IP Type 2 model and installing the latest firmware version V2.40. It is also highly recommended to activate HTTPS for network traffic. The device type and software version can be verified in the web interface.

Mitigation
Devices not connected to an Ethernet network are not susceptible to this attack. Ice detectors operating on secure internal networks that adhere to modern security standards, where only authorized devices and users have access, are protected against external threats.

Mitigation
Labkotec recommends implementing the following additional security controls:
Do not connect the device to the public Internet
Follow good security practices
Change Default Credentials
Enable Secure Management Access
Network Segmentation
Implement Firewall and Access Controls
Restrict Protocols
Monitor and Alert
Avoid Direct Internet Exposure
Keep Firmware Updated
Control Physical Access
Maintain Inventory and Access Reviews

Mitigation
Users can find more information in Labkotec’s security advisory (https://labkotec.fi/wp-content/uploads/CA-000001-Cybersecurity-Advisory.pdf).

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Acknowledgments

  • Souvik Kandar reported this vulnerability to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

Revision History

  • Initial Release Date: 2026-03-03
Date Revision Summary
2026-03-03 1 Initial Publication

Legal Notice and Terms of Use

Mobiliti e-mobi.hu

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks.

The following versions of Mobiliti e-mobi.hu are affected:

  • e-mobi.hu vers:all/*
CVSS Vendor Equipment Vulnerabilities
v3 9.4 Mobiliti Mobiliti e-mobi.hu Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials

Background

  • Critical Infrastructure Sectors: Energy, Transportation Systems
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Hungary

Vulnerabilities

Expand All +

CVE-2026-26051

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

View CVE Details

Affected Products

Mobiliti e-mobi.hu
Vendor:
Mobiliti
Product Version:
Mobiliti e-mobi.hu: vers:all/*
Product Status:
known_affected
Remediations

Mitigation
Mobiliti did not respond to CISA’s request for coordination. Contact Mobiliti using their contact page here: https://www.mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat for more information.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2026-20882

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.

View CVE Details

Affected Products

Mobiliti e-mobi.hu
Vendor:
Mobiliti
Product Version:
Mobiliti e-mobi.hu: vers:all/*
Product Status:
known_affected
Remediations

Mitigation
Mobiliti did not respond to CISA’s request for coordination. Contact Mobiliti using their contact page here: https://www.mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat for more information.

Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-27764

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

View CVE Details

Affected Products

Mobiliti e-mobi.hu
Vendor:
Mobiliti
Product Version:
Mobiliti e-mobi.hu: vers:all/*
Product Status:
known_affected
Remediations

Mitigation
Mobiliti did not respond to CISA’s request for coordination. Contact Mobiliti using their contact page here: https://www.mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat for more information.

Relevant CWE: CWE-613 Insufficient Session Expiration

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2026-27777

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

View CVE Details

Affected Products

Mobiliti e-mobi.hu
Vendor:
Mobiliti
Product Version:
Mobiliti e-mobi.hu: vers:all/*
Product Status:
known_affected
Remediations

Mitigation
Mobiliti did not respond to CISA’s request for coordination. Contact Mobiliti using their contact page here: https://www.mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat for more information.

Relevant CWE: CWE-522 Insufficiently Protected Credentials

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Acknowledgments

  • Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

  • Initial Release Date: 2026-03-03
Date Revision Summary
2026-03-03 1 Initial Publication

Legal Notice and Terms of Use

ePower epower.ie

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

Summary

Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks.

The following versions of ePower epower.ie are affected:

  • epower.ie vers:all/* 
CVSS Vendor Equipment Vulnerabilities
v3 9.4 ePower ePower epower.ie Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials

Background

  • Critical Infrastructure Sectors: Energy, Transportation Systems
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Ireland

Vulnerabilities

Expand All +

CVE-2026-22552

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

View CVE Details

Affected Products

ePower epower.ie
Vendor:
ePower
Product Version:
ePower epower.ie: vers:all/*
Product Status:
known_affected
Remediations

Vendor fix
ePower did not respond to CISA’s request for coordination. Contact ePower using their contact page here: https://www.epower.ie/support/ for more information.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2026-27778

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.

View CVE Details

Affected Products

ePower epower.ie
Vendor:
ePower
Product Version:
ePower epower.ie: vers:all/*
Product Status:
known_affected
Remediations

Vendor fix
ePower did not respond to CISA’s request for coordination. Contact ePower using their contact page here: https://www.epower.ie/support/ for more information.

Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-24912

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

View CVE Details

Affected Products

ePower epower.ie
Vendor:
ePower
Product Version:
ePower epower.ie: vers:all/*
Product Status:
known_affected
Remediations

Vendor fix
ePower did not respond to CISA’s request for coordination. Contact ePower using their contact page here: https://www.epower.ie/support/ for more information.

Relevant CWE: CWE-613 Insufficient Session Expiration

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2026-27770

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

View CVE Details

Affected Products

ePower epower.ie
Vendor:
ePower
Product Version:
ePower epower.ie: vers:all/*
Product Status:
known_affected
Remediations

Vendor fix
ePower did not respond to CISA’s request for coordination. Contact ePower using their contact page here: https://www.epower.ie/support/ for more information.

Relevant CWE: CWE-522 Insufficiently Protected Credentials

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Acknowledgments

  • Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

  • Initial Release Date: 2026-03-03
Date Revision Summary
2026-03-03 1 Initial Publication

Legal Notice and Terms of Use