ICS/OT Vulnerability Disclosures for Airleader Master, Hitachi Energy SuprOS, and WAGO Industrial Switches
CISA published an ICS advisory for Airleader GmbH Airleader Master identifying CVE-2026-1358, a critical (CVSS 9.8) unrestricted file upload issue (CWE-434) affecting versions 6.381 and earlier. The advisory states that multiple web pages running with maximum privileges allow unauthenticated file uploads without restriction, which could enable remote code execution on the server; the issue was reported by SySS GmbH.
CISA also issued an ICS advisory for Hitachi Energy SuprOS describing a default credentials weakness (CWE-1392) affecting SuprOS 9.2.1 and below and 9.2.2.0 (listed as CVE-2025-7740, CVSS 8.8), where an admin account created during deployment could be abused by an attacker with local authenticated access, impacting confidentiality, integrity, and availability. Separately, CERT@VDE warned of multiple critical vulnerabilities in WAGO 852 series Industrial Managed Switches (models 8052-1322 and 0852-1328, firmware 2.64 and prior), including CVE-2026-22906 (hardcoded key enabling decryption of AES-ECB–protected stored credentials if a configuration file is obtained) and cookie-parsing flaws such as CVE-2026-22904 that can be triggered remotely via oversized cookie values, enabling denial of service and potentially code execution through the web management interface (modified lighttpd and custom CGI binaries).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA republishes Hitachi Energy SuprOS vulnerability advisory
CISA republished Hitachi Energy's advisory on the SuprOS default-credentials issue to increase visibility and issued standard ICS defensive guidance, including minimizing internet exposure and segmenting networks. The advisory noted the product is deployed worldwide in sectors such as energy, transportation, and government facilities.
CISA publishes advisory for Airleader Master RCE vulnerability
CISA published an advisory for CVE-2026-1358, a critical unrestricted file upload flaw in Airleader Master 6.381 and earlier that could enable unauthenticated remote code execution with maximum privileges. The vulnerability was reported to CISA by Angel Lomeli of SySS GmbH, and CISA said it had no evidence of public exploitation at publication time.
Hitachi Energy discloses SuprOS default-credentials vulnerability
Hitachi Energy disclosed CVE-2025-7740, a high-severity default-credentials flaw affecting SuprOS versions 9.2.1 and below and version 9.2.2.0. The issue could let an authenticated local attacker access an administrator account created during deployment.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Mar 21, 2026
CISA ICS advisories disclose multiple critical-manufacturing vulnerabilities in Hitachi Energy, Ilevia, and Open62541
CISA published multiple ICS advisories affecting **critical manufacturing** environments, including a **critical RADIUS forgery weakness** impacting **Hitachi Energy XMC20** and **FOX61x** when configured for **remote RADIUS authentication**. The issue (tracked as **CVE-2024-3596**, CVSS v3.1 **9.0**) stems from the RADIUS protocol’s use of an **MD5 Response Authenticator**, enabling a local attacker to perform a **chosen-prefix collision** and alter server responses (e.g., `Access-Accept`, `Access-Reject`, `Access-Challenge`), with potential confidentiality, integrity, and availability impact. Separately, CISA warned that **Ilevia EVE X1 Server** (<= **4.7.18.0**) contains multiple vulnerabilities (including **CVE-2025-34183/34184/34185/34186/34187** and **CVE-2025-34512/34513/34517/34518**) that can enable **pre-auth file disclosure** (via the `db_log` POST parameter) and **unauthenticated OS command injection** (in `/ajax/php/login.php`), potentially leading to arbitrary command execution and sensitive information exposure; at least one issue is scored **CVSS 9.8**. CISA also disclosed an **out-of-bounds write** in **o6 Automation GmbH Open62541** (**CVE-2026-1301**, CVSS **5.7**) where, with PubSub and JSON enabled, a crafted JSON message can trigger **pre-auth memory corruption** and a reliable **denial of service**.
Mar 21, 2026
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Mar 21, 2026