CISA ICS advisories flag critical missing-authentication flaws in industrial and broadcast devices
CISA published ICS advisories warning of critical “missing authentication for critical function” weaknesses (CWE-306) that expose device management/control interfaces to unauthenticated access. Synectix LAN 232 TRIO (3-port serial-to-Ethernet adapter) is affected in all versions under CVE-2026-1633 with CVSS 3.1 10.0, enabling unauthenticated attackers to modify critical device settings or factory reset the device. Avation Light Engine Pro is also affected in all versions under CVE-2026-1341 with CVSS 3.1 9.8, allowing an attacker to take full control of the device due to an exposed configuration/control interface without authentication.
Separate reporting highlighted a similar CISA alert for KiloView Encoder Series devices, tracked as CVE-2026-1453 with CVSS 9.8, where missing authentication allows unauthenticated users to perform administrative actions such as creating or deleting administrator accounts, potentially granting full administrative control and enabling disruption or hijacking of broadcast/streaming workflows. The KiloView issue was described as affecting multiple Encoder Series models and specific firmware/hardware combinations (e.g., E1/E1-s/E2 with listed firmware versions), reinforcing the broader risk of internet- or enterprise-exposed device management planes lacking access control.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Reporting highlights Synectix flaw as unpatchable due to end-of-life status
Follow-on reporting noted that Synectix is no longer in business and that no vendor fix is available for CVE-2026-1633. The coverage emphasized that affected devices may need to be removed or replaced rather than patched.
CVE record for Synectix vulnerability is published
A CVE entry for CVE-2026-1633 was published, documenting the Synectix LAN 232 TRIO authentication bypass and linking to the CISA advisory and CSAF record. The record described network-reachable exploitation with no privileges or user interaction required.
CISA publishes advisory for Synectix LAN 232 TRIO flaw
CISA disclosed CVE-2026-1633, a critical missing-authentication vulnerability in the Synectix LAN 232 TRIO 3-port serial-to-Ethernet adapter. The advisory said unauthenticated attackers could modify critical settings or factory reset the device, with no known public exploitation reported at the time.
CISA publishes advisory for Avation Light Engine Pro flaw
On its initial release date, CISA disclosed CVE-2026-1341, a critical missing-authentication vulnerability affecting all versions of Avation Light Engine Pro. CISA said a remote attacker could take full control of the device and noted no known public exploitation at publication.
Researcher reports critical unauthenticated access flaws to CISA
Souvik Kandar of MicroSec reported missing-authentication vulnerabilities affecting Avation Light Engine Pro and the Synectix LAN 232 TRIO to CISA. The flaws could allow remote attackers to access exposed management or control functions without credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Unpatchable & Critical: CISA Issues CVSS 10.0 Alert for Synectix Adapters
securityonline.info
Open sourceCVE-2026-1633 - Synectix LAN 232 TRIO Missing Authentication for Critical Function
cvefeed.io
Open sourceSynectix LAN 232 TRIO | CISA
cisa.gov
Open sourceAvation Light Engine Pro | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA ICS advisories warn of critical authentication and RCE flaws in industrial and IoT devices
CISA published multiple ICS advisories warning of high-severity vulnerabilities affecting industrial/IoT products deployed in critical infrastructure environments. For **Jinan USR IOT Technology (PUSR) USR-W610** (<= `3.1.1.0`), CISA reported multiple issues (including **CVE-2026-25715**, **CVE-2026-24455**, **CVE-2026-26049**, **CVE-2026-26048**) that could allow authentication to be effectively disabled (e.g., permitting blank admin credentials over the web interface and Telnet), enable credential exposure (including administrator credentials), and cause denial-of-service; one of the cited conditions results in full administrative control for a network-adjacent attacker without valid credentials (CVSS v3.1 **9.8**). Separately, **EnOcean SmartServer IoT** (<= `4.60.009`) was reported vulnerable to **OS command execution** via crafted LON IP-852 management messages (**CVE-2026-20761**) and an additional weakness that could leak memory and help bypass mitigations such as ASLR (**CVE-2026-22885**) (CVSS v3.1 **8.1**). CISA also warned that **Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller** is affected by **CVE-2026-24790** (**missing authentication for a critical function**), where the underlying PLC can be remotely influenced without proper safeguards, creating risk of **over- or under-odorization events** (CVSS v3.1 **8.2**). In parallel reporting, a separate CISA warning covered **Honeywell CCTV** products impacted by **CVE-2026-1670** (CVSS **9.8**), where an unauthenticated API endpoint could allow an attacker to change the “forgot password” recovery email and take over accounts to access camera feeds; at the time of reporting, there were no public exploitation reports, and CISA recommended reducing exposure (e.g., isolating devices behind firewalls and using secure remote access).
Mar 21, 2026
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Mar 21, 2026
CISA ICS advisories disclose multiple critical-manufacturing vulnerabilities in Hitachi Energy, Ilevia, and Open62541
CISA published multiple ICS advisories affecting **critical manufacturing** environments, including a **critical RADIUS forgery weakness** impacting **Hitachi Energy XMC20** and **FOX61x** when configured for **remote RADIUS authentication**. The issue (tracked as **CVE-2024-3596**, CVSS v3.1 **9.0**) stems from the RADIUS protocol’s use of an **MD5 Response Authenticator**, enabling a local attacker to perform a **chosen-prefix collision** and alter server responses (e.g., `Access-Accept`, `Access-Reject`, `Access-Challenge`), with potential confidentiality, integrity, and availability impact. Separately, CISA warned that **Ilevia EVE X1 Server** (<= **4.7.18.0**) contains multiple vulnerabilities (including **CVE-2025-34183/34184/34185/34186/34187** and **CVE-2025-34512/34513/34517/34518**) that can enable **pre-auth file disclosure** (via the `db_log` POST parameter) and **unauthenticated OS command injection** (in `/ajax/php/login.php`), potentially leading to arbitrary command execution and sensitive information exposure; at least one issue is scored **CVSS 9.8**. CISA also disclosed an **out-of-bounds write** in **o6 Automation GmbH Open62541** (**CVE-2026-1301**, CVSS **5.7**) where, with PubSub and JSON enabled, a crafted JSON message can trigger **pre-auth memory corruption** and a reliable **denial of service**.
Mar 21, 2026