CISA ICS advisories disclose multiple critical-manufacturing vulnerabilities in Hitachi Energy, Ilevia, and Open62541
CISA published multiple ICS advisories affecting critical manufacturing environments, including a critical RADIUS forgery weakness impacting Hitachi Energy XMC20 and FOX61x when configured for remote RADIUS authentication. The issue (tracked as CVE-2024-3596, CVSS v3.1 9.0) stems from the RADIUS protocol’s use of an MD5 Response Authenticator, enabling a local attacker to perform a chosen-prefix collision and alter server responses (e.g., Access-Accept, Access-Reject, Access-Challenge), with potential confidentiality, integrity, and availability impact.
Separately, CISA warned that Ilevia EVE X1 Server (<= 4.7.18.0) contains multiple vulnerabilities (including CVE-2025-34183/34184/34185/34186/34187 and CVE-2025-34512/34513/34517/34518) that can enable pre-auth file disclosure (via the db_log POST parameter) and unauthenticated OS command injection (in /ajax/php/login.php), potentially leading to arbitrary command execution and sensitive information exposure; at least one issue is scored CVSS 9.8. CISA also disclosed an out-of-bounds write in o6 Automation GmbH Open62541 (CVE-2026-1301, CVSS 5.7) where, with PubSub and JSON enabled, a crafted JSON message can trigger pre-auth memory corruption and a reliable denial of service.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA publishes Open62541 denial-of-service vulnerability advisory
CISA published an ICS advisory for CVE-2026-1301 in o6 Automation GmbH's Open62541, describing an out-of-bounds write in builds with PubSub and JSON enabled. A crafted JSON message can trigger memory corruption and a denial of service before authentication in affected versions from 1.5-rc1 up to but not including 1.5-rc2.
CISA publishes Ilevia EVE X1 Server vulnerability advisory
CISA issued an ICS advisory covering multiple vulnerabilities in Ilevia EVE X1 Server versions up to 4.7.18.0, including unauthenticated OS command injection, path traversal, plaintext credential exposure in logs, and reflected XSS. The advisory notes some issues could enable full system compromise, while Ilevia reportedly declined to service several firmware vulnerabilities and instead advised customers not to expose port 8080 to the internet.
CISA republishes Hitachi Energy advisories for XMC20 and FOX61x
CISA republished Hitachi Energy's CSAF advisories for the XMC20 and FOX61x vulnerabilities to increase visibility. The advisories identify affected versions and recommend standard ICS mitigations such as reducing network exposure, isolating control networks, and using VPNs for remote access.
Hitachi Energy discloses critical RADIUS flaw in XMC20 and FOX61x
Hitachi Energy disclosed a critical vulnerability in its XMC20 and FOX61x products when configured for remote RADIUS authentication. The flaw, tracked as CVE-2024-3596, stems from weaknesses in the RADIUS protocol's MD5 Response Authenticator that could allow forgery attacks affecting confidentiality, integrity, and availability.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hitachi Energy XMC20 | CISA
cisa.gov
Open sourceHitachi Energy FOX61x | CISA
cisa.gov
Open sourceIlevia EVE X1 Server | CISA
cisa.gov
Open sourceo6 Automation GmbH Open62541 | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Mar 21, 2026
ICS/OT Vulnerability Disclosures for Airleader Master, Hitachi Energy SuprOS, and WAGO Industrial Switches
CISA published an ICS advisory for **Airleader GmbH Airleader Master** identifying **CVE-2026-1358**, a **critical (CVSS 9.8)** *unrestricted file upload* issue (`CWE-434`) affecting versions **6.381 and earlier**. The advisory states that multiple web pages running with maximum privileges allow **unauthenticated** file uploads without restriction, which could enable **remote code execution** on the server; the issue was reported by **SySS GmbH**. CISA also issued an ICS advisory for **Hitachi Energy SuprOS** describing a **default credentials** weakness (`CWE-1392`) affecting **SuprOS 9.2.1 and below and 9.2.2.0** (listed as **CVE-2025-7740**, **CVSS 8.8**), where an admin account created during deployment could be abused by an attacker with local authenticated access, impacting confidentiality, integrity, and availability. Separately, CERT@VDE warned of multiple critical vulnerabilities in **WAGO 852 series Industrial Managed Switches** (models **8052-1322** and **0852-1328**, firmware **2.64 and prior**), including **CVE-2026-22906** (hardcoded key enabling decryption of AES-ECB–protected stored credentials if a configuration file is obtained) and cookie-parsing flaws such as **CVE-2026-22904** that can be triggered remotely via oversized cookie values, enabling denial of service and potentially code execution through the web management interface (modified *lighttpd* and custom CGI binaries).
Mar 21, 2026
CISA and Canadian Cyber Centre Advisories Highlight Multiple ICS and Enterprise Vulnerabilities
The Canadian Centre for Cyber Security issued multiple advisories summarizing vendor and CISA disclosures from Feb 9–15, urging organizations to patch widely used platforms. This included **Linux kernel** fixes across supported Ubuntu releases (16.04 through 25.10) and a broad set of **Dell** and **IBM** product updates affecting backup/DR, infrastructure, and automation/transaction systems (e.g., *Dell Avamar/NetWorker/PowerEdge/IDPA/iDRAC Service Module* and *IBM Business Automation Workflow, Operational Decision Manager, Sterling components, webMethods Integration*, and others). CISA also published ICS advisories covering several industrial products with potentially high-impact outcomes. **Siemens Simcenter Femap and Nastran** were reported vulnerable to multiple `NDB`/`XDB` file-parsing issues (CVE-2026-23715 through CVE-2026-23720) that can be triggered via malicious files and may lead to crashes or **arbitrary code execution** (CVSS 7.8), with Siemens recommending upgrades. **GE Vernova Enervista UR Setup** versions `< 8.70` were reported vulnerable to **DLL hijacking** and **path traversal** (CVE-2026-1762, CVE-2026-1763; CVSS 7.8), potentially enabling elevated code execution. Separately, CISA advisory `ICSA-26-043-10` described a **critical** unauthenticated **remote code execution** risk in **Airleader Master** `<= 6.381` due to an unrestricted file upload flaw (CVE-2026-1358; CVSS 9.8); CISA noted no known public exploits at the time and recommended exposure reduction measures such as network segmentation and restricting internet access to control systems.
Mar 21, 2026