The fallout and potential exposure from Iran’s state-backed targeting of U.S. critical infrastructure extends to more than 5,200 internet-connected devices, researchers at Censys said in a threat intelligence brief Wednesday. 

 Of the programmable logic controllers manufactured by Rockwell Automation/Allen-Bradley that Censys identified as  potentially exposed to Iranian government attackers, nearly 3,900, or about 3 out of every 4, are based in the United States. 

The cybersecurity firm identified the devices based on details multiple federal agencies shared in a joint alert Tuesday, and published additional indicators of compromise, including operator IPs and other threat hunting queries.

Federal authorities earlier this week warned that Iranian government attackers have exploited devices that control industrial automation processes and disrupted multiple sectors during the past month. Some victims also experienced financial losses as a result of the attacks, officials said. 

The operational technology devices are deployed across the energy sector, water and wastewater systems, and U.S. government services and facilities. 

Censys scans spotted 5,219 internet-exposed Rockwell Automation/Allen-Bradley PLC hosts shortly after the joint alert was issued by the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and U.S. Cyber Command. 

Researchers at Censys determined most of the exposed devices are connected via cellular systems, posing a significant risk to remote field deployments. Nearly half of the devices globally are connected to Verizon’s wireless network and 13% are connected to AT&T’s infrastructure.

“These devices are almost certainly field-deployed in physical infrastructure (pump stations, substations, municipal facilities) with cellular modems as their sole internet path,” Censys researchers wrote in the report. 

The potential attack surface is also amplified by additional services exposed in other ports on these devices, a discovery that Censys warned could allow attackers to gain direct paths to operations beyond PLC exploitation. 

Researchers fingerprinted MicroLogix and CompactLogix models exposed to the latest threat campaign and published a list of the 15 most-exposed products. Many of the most prominent devices are running end-of-life software, a compounding risk that could allow attackers to prioritize unpatched devices upon scanning, according to Censys.

The attacks date back to at least March, following the U.S. and Israel’s war against Iran, and were underway as other Iranian government-backed attackers claimed other victims, including Stryker and local governments.

The post Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs appeared first on CyberScoop.

Researchers and threat hunters are scrambling to contain a maximum-severity defect in Ubiquiti’s UniFi Network Application that attackers could exploit to take over user accounts by accessing and manipulating files.

The path-traversal vulnerability — CVE-2026-22557 — affects software used to manage UniFi networking devices, including access points, gateways and switches. The vendor disclosed and released patches for the defect in a security advisory Wednesday.

“As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.

“However, because this is a path-traversal vulnerability, the technical complexity for an attacker is typically lower than memory-corruption or buffer-overflow bugs,” he added. “Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”

Censys sensors observed nearly 88,000 UniFi Network Application hosts publicly exposed to the internet as of Friday morning. The software doesn’t expose what version it’s running, so scans cannot distinguish between vulnerable and patched instances.

Roughly one-third of the exposed instances of UniFi Network Application are located in the United States. 

As a defender, when you see a CVSS 10 for a product you immediately recognize and know is everywhere, you probably get a bit anxious,” Guidry said. “You also know it’s remotely exploitable, requires no authentication, and needs no user interaction, because it wouldn’t be a 10 if it wasn’t. Ubiquiti is a name you hear frequently, and many of those devices are sitting directly on the internet.”

Ubiquiti advises UniFi Network Application users to update to the latest software versions, which also addressed a second vulnerability — CVE-2026-22558 — that attackers could exploit to escalate privileges.

The post Ubiquiti defect poses account takeover risk for UniFi Networking Application users appeared first on CyberScoop.