CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. Β
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISAβs KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied.
While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV Catalog vulnerabilities. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Aware of an exploited vulnerability not currently listed in the KEV Catalog? Submit it for potential addition through CISAβs KEV Nomination Form. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance.Β
Successful exploitation of these vulnerabilities could could provide an unauthenticated user with complete root-level access and control of the system.
The following versions of Daktronics Controller Firmware are affected:
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 8.1 | Daktronics | Daktronics Controller Firmware | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type, Use of Hard-coded Credentials |
Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
Mitigation
Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x
Mitigation
Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.
Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.7 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 4.0 | 9.3 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.
Mitigation
Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x
Mitigation
Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.
Relevant CWE: CWE-434 Unrestricted Upload of File with Dangerous Type
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
| 4.0 | 8.4 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N |
The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
Mitigation
Daktronics recommends users update their device software to one of the following versions (based on product configuration in use): 8.117.0.x, 9.43.0.x, or 10.34.0.x
Mitigation
Daktronics recommends updating the default passwords and encourages using strong, unique credentials per device.
Relevant CWE: CWE-798 Use of Hard-coded Credentials
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| 4.0 | 9.3 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N |
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
| Date | Revision | Summary |
|---|---|---|
| 2026-06-25 | 1 | Initial Publication |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.
The following versions of Delta Electronics DTM Soft are affected:
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.8 | Delta Electronics | Delta Electronics DTM Soft | Deserialization of Untrusted Data |
The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code.
Mitigation
Delta Electronics is aware of the vulnerability and is currently working on a fix.
Mitigation
Delta Electronics recommends users apply the following workarounds:
Mitigation
Do not open unsolicited project files: Do not open or import unsolicited project files, untrusted Internet links, or unexpected attachments from emails, network shares, or USB drives. Always verify the source of the file before opening it.
Mitigation
Avoid running as administrator: Do not use the "Run as Administrator" option when launching the software. Running the software with standard user privileges effectively limits the damage of potential malicious code.
Mitigation
For more information refer to Delta Electronic's advisory page https://www.deltaww.com/en-US/service-support/product-cybersecurity/advisory
Relevant CWE: CWE-502 Deserialization of Untrusted Data
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 4.0 | 8.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
| Date | Revision | Summary |
|---|---|---|
| 2026-06-25 | 1 | Initial Republication pf Delta-PCSA-2026-00010_DT |
Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link.
The following versions of OHIF Viewers DICOM are affected:
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 8.2 | Open Health Imaging Foundation (OHIF) | OHIF Viewers DICOM | Server-Side Request Forgery (SSRF) |
Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted.
Mitigation
The maintainer has fixed the reported vulnerability and released version 3.12.2 (2026-05-18). The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12).
Mitigation
Users are recommended to upgrade to v3.12.2 or later. Operators who need dicomwebproxy or dicomjson in authenticated deployments must additionally configure the new dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js.
Mitigation
Users running OHIF with authentication should remove ALL unused DicomWebProxyDataSource and DicomJSONDataSource configurations from the configuration file they are deploying with.
Relevant CWE: CWE-918 Server-Side Request Forgery (SSRF)
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N |
| 4.0 | 8.3 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N |
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
| Date | Revision | Summary |
|---|---|---|
| 2026-06-25 | 1 | Initial Publication |
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code and upload malicious files to the affected device.
The following versions of H.VIEW HV-500S6 IP Camera are affected:
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.2 | H.VIEW | H.VIEW HV-500S6 IP Camera | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Unrestricted Upload of File with Dangerous Type |
A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which are incorporated into a backend certificate creation command without proper input validation. This may allow for command execution with elevated privileges during certificate generation.
Mitigation
H.View did not respond to CISA's request to coordinate. Users are encouraged to reach out to H.View for support. https://hviewsmart.com/pages/contact-us
https://hviewsmart.com/pages/contact-us
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 4.0 | 8.6 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This design omission enables the placement of unexpected or malformed data in locations intended for trusted certificate material, which could affect system integrity or behavior even after reboot.
Mitigation
H.View did not respond to CISA's request to coordinate. Users are encouraged to reach out to H.View for support. https://hviewsmart.com/pages/contact-us
https://hviewsmart.com/pages/contact-us
Relevant CWE: CWE-434 Unrestricted Upload of File with Dangerous Type
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 4.0 | 8.6 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
| Date | Revision | Summary |
|---|---|---|
| 2026-06-25 | 1 | Initial Publication |
Successful exploitation of this vulnerability could allow an unauthenticated attacker to write to arbitrary file paths.
The following versions of pydicom pynetdicom Library are affected:
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.1 | pydicom | pydicom pynetdicom Library | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.
Vendor fix
The maintainer of pynetdicom has not responded to requests to work with CISA to mitigate this vulnerability. For update information, refer to the github page https://github.com/pydicom/pynetdicom.
https://github.com/pydicom/pynetdicom
Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| 4.0 | 8.8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
| Date | Revision | Summary |
|---|---|---|
| 2026-06-25 | 1 | Initial Publication |
Schneider Electric is aware of a vulnerability in its PowerLogicβ’ P7 product. The PowerLogicβ’ P7 is a protection and control platform designed for complex and advanced electrical network applications. Failure to apply the remediation provided below may risk unauthorized execution of privileged commands or loss of HMI operability and configuration functionality, which could result in loss of control over system operations and disruption of critical services.
The following versions of Schneider Electric PowerLogic P7 are affected:
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.5 | Schneider Electric | Schneider Electric PowerLogic P7 | NULL Pointer Dereference, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Reachable Assertion |
CWE-476 NULL Pointer Dereference vulnerability exists that could cause a denial-of-service condition, rendering the deviceβs HMI and configuration functionality unavailable when malformed requests are received over exposed network interfaces.
Vendor fix
Version V02.004.001 of PowerLogicTM P7 includes a fix for this vulnerability and is available for download. Contact Schneider Electricβs Customer Care Center to download this firmware. Reboot needed: Yes
Mitigation
If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: β’ Restrict network access to P7 service endpoints (ports 8080 and 3702) β’ Monitor and alert on anomalous SOAP requests targeting wsApp β’ Limit administrative access and apply least privilege principles for all users interacting with P7.
Relevant CWE: CWE-476 NULL Pointer Dereference
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service.
Vendor fix
Version V02.004.001 of PowerLogicTM P7 includes a fix for this vulnerability and is available for download. Contact Schneider Electricβs Customer Care Center to download this firmware. Reboot needed: Yes
Mitigation
If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: β’ Restrict network access to P7 service endpoints (ports 8080 and 3702) β’ Monitor and alert on anomalous SOAP requests targeting wsApp β’ Limit administrative access and apply least privilege principles for all users interacting with P7.
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
CWE-617 Reachable Assertion vulnerability exists that could allow an authenticated attacker to trigger a denial-of-service condition, impacting system availability when a specially crafted request is sent to a vulnerable network-exposed service.
Vendor fix
Version V02.004.001 of PowerLogicTM P7 includes a fix for this vulnerability and is available for download. Contact Schneider Electricβs Customer Care Center to download this firmware. Reboot needed: Yes
Mitigation
If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: β’ Restrict network access to P7 service endpoints (ports 8080 and 3702) β’ Monitor and alert on anomalous SOAP requests targeting wsApp β’ Limit administrative access and apply least privilege principles for all users interacting with P7.
Relevant CWE: CWE-617 Reachable Assertion
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
We strongly recommend the following industry cybersecurity best practices. https://www.se.com/us/en/download/document/7EN52-0390/ * Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. * Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. * Place all controllers in locked cabinets and never leave them in the βProgramβ mode. * Never connect programming software to any network other than the network intended for that device. * Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. * Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. * Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process. For further information related to cybersecurity in Schneider Electricβs products, visit the companyβs cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp
THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS βNOTIFICATIONβ) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN βAS-ISβ BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION
At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment. We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries. We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values. www.se.com
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
This ICSA is a verbatim republication of Schneider Electric CPCERT SEVD-2026-160-03 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Schneider Electric CPCERT directly for any questions regarding this advisory.
| Date | Revision | Summary |
|---|---|---|
| 2026-06-09 | 1 | Original Release |
| 2026-06-25 | 2 | Initial CISA Republication of Schneider Electric CPCERT SEVD-2026-160-03 advisory |
Successful exploitation of this vulnerability may return a response containing the CI Server setting information.
The following versions of Yokogawa FAST/TOOLS and CI Server are affected:
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.5 | Yokogawa | Yokogawa FAST/TOOLS and CI Server | Cleartext Transmission of Sensitive Information |
The web server may return a response containing the CI Server setting information. This information could be exploited by an attacker for other attacks.
Vendor fix
Yokogawa recommends users update FAST/TOOLS up to R10.04 and apply patch software (R10.04 SP4).
Mitigation
Yokogawa recommends users update Collaborative Information Server (CI Server) up to R1.05.
Mitigation
For more information and details on implementing these mitigations, users should see the Yokogawa security advisory report YSAR-26-0004 at: https://web-material3.yokogawa.com/1/39777/files/YSAR-26-0004-E.pdf
Mitigation
For questions related to this report, please contact the below.Β
https://contact.yokogawa.com/cs/gw?c-id=000498
Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 4.0 | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
| Date | Revision | Summary |
|---|---|---|
| 2026-06-25 | 1 | Initial CISA Republication of Yokogawa Security Advisory Report YSAR-26-0004 |
Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks.
The following versions of EVoke Systems Charging Station Management System are affected:
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.4 | EVoke Systems | EVoke Systems Charging Station Management System | Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials |
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.
Vendor fix
EVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0β3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3.
Vendor fix
EVoke states that certain legacy charger models deployed on the network are no longer supported by the manufacturer (for example, chargers originally produced by EVBox). These devices cannot be upgraded to support stronger security profiles. For chargers limited to Security Profiles 0 or 1, EVoke is implementing additional server-side protections to mitigate spoofing risks. Allow-listed chargers will only be accepted from chargers whose IDs are registered in the EVoke CSMS inventory database. Unknown charger identifiers will be rejected.
Mitigation
EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers.
Mitigation
EVoke states that the platform will monitor session anomalies including repeated connection attempts, unexpected IP address changes, and abnormal message patterns. Security events will be logged and flagged for operational review.
Mitigation
EVoke states that to address the risk of denial-of-service via repeated authentication attempts, EVoke will implement connection rate limiting at the WebSocket gateway layer. These controls will restrict excessive connection attempts from the same source and temporarily block abusive traffic patterns.
Mitigation
EVoke states they are developing a lifecycle policy for legacy chargers that cannot support modern OCPP security profiles. This policy will include identification of unsupported EVSE models and risk classification Migration planning with site operators where possible
Mitigation
Contact EVoke using their contact page: https://evokesystems.com/contact-us/ for more information.
https://evokesystems.com/contact-us/
Relevant CWE: CWE-306 Missing Authentication for Critical Function
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.4 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
| 4.0 | 9.3 | CRITICAL | https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.
Vendor fix
EVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0β3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3.
Vendor fix
EVoke states that certain legacy charger models deployed on the network are no longer supported by the manufacturer (for example, chargers originally produced by EVBox). These devices cannot be upgraded to support stronger security profiles. For chargers limited to Security Profiles 0 or 1, EVoke is implementing additional server-side protections to mitigate spoofing risks. Allow-listed chargers will only be accepted from chargers whose IDs are registered in the EVoke CSMS inventory database. Unknown charger identifiers will be rejected.
Mitigation
EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers.
Mitigation
EVoke states that the platform will monitor session anomalies including repeated connection attempts, unexpected IP address changes, and abnormal message patterns. Security events will be logged and flagged for operational review.
Mitigation
EVoke states that to address the risk of denial-of-service via repeated authentication attempts, EVoke will implement connection rate limiting at the WebSocket gateway layer. These controls will restrict excessive connection attempts from the same source and temporarily block abusive traffic patterns.
Mitigation
EVoke states they are developing a lifecycle policy for legacy chargers that cannot support modern OCPP security profiles. This policy will include identification of unsupported EVSE models and risk classification Migration planning with site operators where possible
Mitigation
Contact EVoke using their contact page: https://evokesystems.com/contact-us/ for more information.
https://evokesystems.com/contact-us/
Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 4.0 | 8.7 | HIGH | https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Vendor fix
EVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0β3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3.
Vendor fix
EVoke states that certain legacy charger models deployed on the network are no longer supported by the manufacturer (for example, chargers originally produced by EVBox). These devices cannot be upgraded to support stronger security profiles. For chargers limited to Security Profiles 0 or 1, EVoke is implementing additional server-side protections to mitigate spoofing risks. Allow-listed chargers will only be accepted from chargers whose IDs are registered in the EVoke CSMS inventory database. Unknown charger identifiers will be rejected.
Mitigation
EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers.
Mitigation
EVoke states that the platform will monitor session anomalies including repeated connection attempts, unexpected IP address changes, and abnormal message patterns. Security events will be logged and flagged for operational review.
Mitigation
EVoke states that to address the risk of denial-of-service via repeated authentication attempts, EVoke will implement connection rate limiting at the WebSocket gateway layer. These controls will restrict excessive connection attempts from the same source and temporarily block abusive traffic patterns.
Mitigation
EVoke states they are developing a lifecycle policy for legacy chargers that cannot support modern OCPP security profiles. This policy will include identification of unsupported EVSE models and risk classification Migration planning with site operators where possible
Mitigation
Contact EVoke using their contact page: https://evokesystems.com/contact-us/ for more information.
https://evokesystems.com/contact-us/
Relevant CWE: CWE-613 Insufficient Session Expiration
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| 4.0 | 6.9 | MEDIUM | https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
Vendor fix
EVoke states that as a hardware-agnostic platform supporting multiple charger Original Equipment Manufacturers OEMs, EVoke must interoperate with EVSE devices that support different OCPP security profiles depending on the firmware capabilities of the charger. EVoke CSMS currently supports all OCPP security profiles (0β3). However, the effective security configuration for a charger connection is determined by the security profile implemented in the EVSE firmware. Some legacy chargers deployed in the network support only Security Profile 0 or 1. These chargers were installed prior to the broader industry adoption of stronger authentication mechanisms defined in OCPP Security Profiles 2 and 3. EVoke is actively working with charger OEM partners to migrate supported devices to Security Profile 2 (TLS encryption with basic authentication) or Security Profile 3 (Mutual TLS authentication using client certificates). For OEMs that continue to support firmware updates, EVoke will prioritize upgrades to enable Security Profiles 2 or 3.
Vendor fix
EVoke states that certain legacy charger models deployed on the network are no longer supported by the manufacturer (for example, chargers originally produced by EVBox). These devices cannot be upgraded to support stronger security profiles. For chargers limited to Security Profiles 0 or 1, EVoke is implementing additional server-side protections to mitigate spoofing risks. Allow-listed chargers will only be accepted from chargers whose IDs are registered in the EVoke CSMS inventory database. Unknown charger identifiers will be rejected.
Mitigation
EVoke states that to reduce the risk of duplicate sessions, only a single active connection per charger ID will be permitted. If a second connection using the same charger ID is detected, the new connection will be rejected or the previous session will be terminated. This prevents unauthorized actors from establishing parallel sessions using spoofed charger identifiers.
Mitigation
EVoke states that the platform will monitor session anomalies including repeated connection attempts, unexpected IP address changes, and abnormal message patterns. Security events will be logged and flagged for operational review.
Mitigation
EVoke states that to address the risk of denial-of-service via repeated authentication attempts, EVoke will implement connection rate limiting at the WebSocket gateway layer. These controls will restrict excessive connection attempts from the same source and temporarily block abusive traffic patterns.
Mitigation
EVoke states they are developing a lifecycle policy for legacy chargers that cannot support modern OCPP security profiles. This policy will include identification of unsupported EVSE models and risk classification Migration planning with site operators where possible
Mitigation
Contact EVoke using their contact page: https://evokesystems.com/contact-us/ for more information.
https://evokesystems.com/contact-us/
Relevant CWE: CWE-522 Insufficiently Protected Credentials
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| 4.0 | 6.9 | MEDIUM | https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
| Date | Revision | Summary |
|---|---|---|
| 2026-06-25 | 1 | Initial Publication |
Successful exploitation of this vulnerability could allow a local attacker to disclose information and execute arbitrary code.
The following versions of Horner Automation Cscape are affected:
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.8 | Horner Automation | Horner Automation Cscape | Out-of-bounds Read |
Horner Automation Cscape versions prior to 10.2 SP3 are vulnerable to an Out-of-Bounds Read vulnerability through parsing CSP files. Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code.
Vendor fix
Horner Automation has released Cscape 10.2 SP3 for users to download.
Vendor fix
For more information, see the Cscape 10.2 SP3 release notes (https://hornerautomation.com/cscape-software-free/cscape-software/).
https://hornerautomation.com/cscape-software-free/cscape-software/
Relevant CWE: CWE-125 Out-of-bounds Read
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 4.0 | 8.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
| Date | Revision | Summary |
|---|---|---|
| 2026-06-25 | 1 | Initial Publication |
Login