Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling unauthenticated remote compromise. Johnson Controls disclosed CVE-2025-26385 (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including ADS/ADX, LCS8500, NAE8500, SCT, CCT) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include CVE-2026-25069 in SunFounder Pironman Dashboard (path traversal in log API endpoints enabling arbitrary file read/deletion) and CVE-2025-51958 in the DokuWiki runcommand plugin (unauthenticated command execution via lib/plugins/runcommand/postaction.php).
Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. Orval fixed CVE-2026-25141, a code-injection issue where incomplete escaping can be bypassed using JSFuck-style payloads, and Cybersecurity AI (CAI) addressed CVE-2026-25130, where subprocess.Popen(..., shell=True) enables argument/command injection leading to RCE (notably via the find_file() tool). Data-layer issues include CVE-2025-69662 in geopandas (to_postgis() SQL injection) and CVE-2026-24854 in ChurchCRM (authenticated SQL injection via PerID in /PaddleNumEditor.php, patched in 6.7.2), while CVE-2025-36384 affects IBM Db2 for Windows (local privilege escalation via unquoted search path). SOHO router flaws CVE-2026-1686 (Totolink A3600R) and CVE-2026-1637 (Tenda AC21) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
CISA issues advisory for critical Johnson Controls ICS SQL injection flaw
On 2026-02-01, reporting said CISA had issued a critical advisory for CVE-2025-26385, a CVSS 10.0 SQL injection vulnerability affecting multiple Johnson Controls industrial control system products. CISA recommended network isolation, firewalling, and use of patched VPNs for any remote access.
SunFounder Pironman Dashboard path traversal CVE received
On 2026-02-01, disclosure@vulncheck.com received CVE-2026-25069 for a path traversal flaw in SunFounder Pironman Dashboard 1.3.13 and earlier. The issue allows unauthenticated remote attackers to read or delete arbitrary files through log file API endpoints.
Totolink A3600R buffer overflow disclosed with public proof of concept
By 2026-01-30, CVE-2026-1686 documented a remotely exploitable buffer overflow in the Totolink A3600R router's setAppEasyWizardConfig function in app.so. The disclosure referenced a public exploit and proof of concept, increasing the likelihood of real-world abuse.
Cybersecurity AI fixes argument injection leading to host command execution
A fix for CVE-2026-25130 was identified in commit e22a1220f764e2d7cf9da6d6144926f53ca01cde, addressing argument-injection flaws in Cybersecurity AI up to version 0.5.10. The vulnerabilities allowed arbitrary command execution, including through the pre-approved find_file() agent tool.
Orval releases fixes for code injection bypass in 7.21.0 and 8.2.0
Orval addressed CVE-2026-25141, a code injection vulnerability caused by incomplete prior escaping logic, in versions 7.21.0 and 8.2.0. The issue allowed arbitrary JavaScript execution via crafted x-enum-descriptions using a JSFuck-style technique.
IBM Db2 Windows privilege escalation CVE updated by IBM PSIRT
On 2026-01-30, CVE-2025-36384 was updated with CVSS v3.1 scoring, CWE-428 mapping, and an IBM PSIRT reference for a local privilege escalation issue in IBM Db2 for Windows 12.1.0 through 12.1.3. The flaw stems from an unquoted search path element and requires filesystem access.
DokuWiki runcommand plugin RCE CVE published with references and scoring
On 2026-01-30, CVE-2025-51958 was documented and updated for an unauthenticated remote command execution flaw in the aelsantex runcommand plugin for DokuWiki. The update added references, a CVSS v3.1 vector, and CWE-78 classification.
MediaWiki DiscussionTools EL injection/ReDoS issue documented
On 2026-01-30, the CVE-2025-11175 entry was updated with a description, CVSS v4.0 vector, CWE-917 classification, and references for an expression language injection issue in MediaWiki DiscussionTools. The flaw can lead to Regular Expression Exponential Blowup in affected 1.43 and 1.44 versions.
CVE record for Geopandas SQL injection updated with technical details
On 2026-01-30, the CVE-2025-69662 record was updated to add a description, CVSS v3.1 vector, CWE classification, and references for an SQL injection issue in geopandas versions prior to 1.1.2. The flaw affects the to_postgis() function when writing GeoDataFrames to PostgreSQL.
ChurchCRM 6.7.2 fixes SQL injection in PaddleNumEditor.php
ChurchCRM released version 6.7.2 to address CVE-2026-24854, a SQL injection flaw in /PaddleNumEditor.php that could be exploited by any authenticated user, even with no assigned permissions. The advisory references the fixing commit and GitHub Security Advisory.
CVE-2026-1637 assigned for Tenda AC21 stack overflow with public exploit
On 2026-01-29, the CVE record for CVE-2026-1637 was received, documenting a remotely exploitable stack-based buffer overflow in the Tenda AC21 router's fromAdvSetMacMtuWan function. The record noted that a public exploit was available.
CISA reports no known exploitation of Johnson Controls SQL injection flaw
As of 2026-01-27, CISA said it was not aware of public exploitation of CVE-2025-26385, a critical SQL injection vulnerability affecting multiple Johnson Controls ICS products. The agency nevertheless highlighted the risk because the products are widely used in critical infrastructure environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Critical Johnson Controls Products Vulnerabilities Enables Remote SQL Injection Attacks
cybersecuritynews.com
Open sourceCVE-2026-25069 - SunFounder Pironman Dashboard <= 1.3.13 Path Traversal Arbitrary File Read/Deletion
cvefeed.io
Open sourceCVE-2025-36384 - IBM Db2 Privilege Escalation
cvefeed.io
Open sourceCVE-2026-25141 - Orval has a code injection via unsanitized x-enum-descriptions uing JS comments
cvefeed.io
Open sourceCVE-2025-51958 - DokuWiki runcommand Remote Command Execution Vulnerability
cvefeed.io
Open sourceCVE-2026-24854 - Church CRM has SQL injection in PaddleNumEditor.php
cvefeed.io
Open sourceCVE-2026-1686 - Totolink A3600R app.so setAppEasyWizardConfig buffer overflow
cvefeed.io
Open sourceCVE-2026-1637 - Tenda AC21 AdvSetMacMtuWan fromAdvSetMacMtuWan stack-based overflow
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Mar 21, 2026
ICS/OT Vulnerability Disclosures for Airleader Master, Hitachi Energy SuprOS, and WAGO Industrial Switches
CISA published an ICS advisory for **Airleader GmbH Airleader Master** identifying **CVE-2026-1358**, a **critical (CVSS 9.8)** *unrestricted file upload* issue (`CWE-434`) affecting versions **6.381 and earlier**. The advisory states that multiple web pages running with maximum privileges allow **unauthenticated** file uploads without restriction, which could enable **remote code execution** on the server; the issue was reported by **SySS GmbH**. CISA also issued an ICS advisory for **Hitachi Energy SuprOS** describing a **default credentials** weakness (`CWE-1392`) affecting **SuprOS 9.2.1 and below and 9.2.2.0** (listed as **CVE-2025-7740**, **CVSS 8.8**), where an admin account created during deployment could be abused by an attacker with local authenticated access, impacting confidentiality, integrity, and availability. Separately, CERT@VDE warned of multiple critical vulnerabilities in **WAGO 852 series Industrial Managed Switches** (models **8052-1322** and **0852-1328**, firmware **2.64 and prior**), including **CVE-2026-22906** (hardcoded key enabling decryption of AES-ECB–protected stored credentials if a configuration file is obtained) and cookie-parsing flaws such as **CVE-2026-22904** that can be triggered remotely via oversized cookie values, enabling denial of service and potentially code execution through the web management interface (modified *lighttpd* and custom CGI binaries).
Mar 21, 2026
CISA ICS advisories disclose multiple critical-manufacturing vulnerabilities in Hitachi Energy, Ilevia, and Open62541
CISA published multiple ICS advisories affecting **critical manufacturing** environments, including a **critical RADIUS forgery weakness** impacting **Hitachi Energy XMC20** and **FOX61x** when configured for **remote RADIUS authentication**. The issue (tracked as **CVE-2024-3596**, CVSS v3.1 **9.0**) stems from the RADIUS protocol’s use of an **MD5 Response Authenticator**, enabling a local attacker to perform a **chosen-prefix collision** and alter server responses (e.g., `Access-Accept`, `Access-Reject`, `Access-Challenge`), with potential confidentiality, integrity, and availability impact. Separately, CISA warned that **Ilevia EVE X1 Server** (<= **4.7.18.0**) contains multiple vulnerabilities (including **CVE-2025-34183/34184/34185/34186/34187** and **CVE-2025-34512/34513/34517/34518**) that can enable **pre-auth file disclosure** (via the `db_log` POST parameter) and **unauthenticated OS command injection** (in `/ajax/php/login.php`), potentially leading to arbitrary command execution and sensitive information exposure; at least one issue is scored **CVSS 9.8**. CISA also disclosed an **out-of-bounds write** in **o6 Automation GmbH Open62541** (**CVE-2026-1301**, CVSS **5.7**) where, with PubSub and JSON enabled, a crafted JSON message can trigger **pre-auth memory corruption** and a reliable **denial of service**.
Mar 21, 2026