CISA ICS Advisories for Delta Electronics ASDA-Soft and Honeywell CCTV Vulnerabilities
CISA published ICS advisories detailing vulnerabilities in Delta Electronics ASDA-Soft and Honeywell CCTV products. Delta Electronics ASDA-Soft (versions <= 7.2.0.0) contains a stack-based buffer overflow (CWE-121) triggered when parsing .par files due to improper validation of a user-controlled size parameter, which can enable out-of-bounds writes and corruption of the structured exception handler (CVE-2026-1361, CVSS v3.1 7.8 High, CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Honeywell CCTV devices are affected by missing authentication for a critical function (CWE-306) where an unauthenticated API endpoint can allow an attacker to change the “forgot password” recovery email address, enabling account takeover and unauthorized access to camera feeds (CVE-2026-1670, CVSS v3.1 9.8 Critical, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A separate report described a different CISA ICS advisory for Airleader Master involving an unrestricted file upload that could allow unauthenticated remote code execution (CVE-2026-1358, CVSS 9.8), affecting versions up to 6.381; it noted no known public exploits at the time and recommended exposure reduction measures such as restricting internet access and segmenting ICS networks. This Airleader issue is not part of the same disclosure as the Delta Electronics and Honeywell advisories, which cover distinct products and CVEs released under different advisory identifiers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA publishes advisory for Honeywell CCTV CVE-2026-1670
CISA published ICS advisory ICSA-26-048-04 warning that a critical authentication-missing vulnerability in multiple Honeywell CCTV products could enable account takeover, unauthorized camera access, and possible lateral movement. CISA said it was unaware of public exploitation and recommended network isolation, segmentation, and secure remote access.
CISA publishes advisory for Delta ASDA-Soft CVE-2026-1361
CISA published ICS advisory ICSA-26-048-02 for a stack-based buffer overflow in Delta Electronics ASDA-Soft. The agency said the flaw is not remotely exploitable and that it had no reports of public exploitation at the time of publication.
Trend Research reports Delta ASDA-Soft buffer overflow to CISA
A researcher identified as “nisu” of Trend Research reported a high-severity stack-based buffer overflow in Delta Electronics ASDA-Soft to CISA. The flaw, assigned CVE-2026-1361, affects version 7.2.0.0 and earlier when parsing crafted .par files.
Researcher reports Honeywell CCTV auth bypass to CISA
Researcher Souvik Kandar reported a critical missing-authentication flaw in multiple Honeywell CCTV products to CISA. The vulnerability, later assigned CVE-2026-1670, allows an unauthenticated attacker to change the password-recovery email and take over accounts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CISA Warns of Honeywell CCTV Products Vulnerability Leads to Account Takeovers
cybersecuritynews.com
Open sourceCISA alerts to critical auth bypass CVE-2026-1670 in Honeywell CCTVs
securityaffairs.com
Open sourceDelta Electronics ASDA-Soft | CISA
cisa.gov
Open sourceHoneywell CCTV Products | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ICS/OT Vulnerability Disclosures for Airleader Master, Hitachi Energy SuprOS, and WAGO Industrial Switches
CISA published an ICS advisory for **Airleader GmbH Airleader Master** identifying **CVE-2026-1358**, a **critical (CVSS 9.8)** *unrestricted file upload* issue (`CWE-434`) affecting versions **6.381 and earlier**. The advisory states that multiple web pages running with maximum privileges allow **unauthenticated** file uploads without restriction, which could enable **remote code execution** on the server; the issue was reported by **SySS GmbH**. CISA also issued an ICS advisory for **Hitachi Energy SuprOS** describing a **default credentials** weakness (`CWE-1392`) affecting **SuprOS 9.2.1 and below and 9.2.2.0** (listed as **CVE-2025-7740**, **CVSS 8.8**), where an admin account created during deployment could be abused by an attacker with local authenticated access, impacting confidentiality, integrity, and availability. Separately, CERT@VDE warned of multiple critical vulnerabilities in **WAGO 852 series Industrial Managed Switches** (models **8052-1322** and **0852-1328**, firmware **2.64 and prior**), including **CVE-2026-22906** (hardcoded key enabling decryption of AES-ECB–protected stored credentials if a configuration file is obtained) and cookie-parsing flaws such as **CVE-2026-22904** that can be triggered remotely via oversized cookie values, enabling denial of service and potentially code execution through the web management interface (modified *lighttpd* and custom CGI binaries).
Mar 21, 2026
CISA ICS advisories warn of critical authentication and RCE flaws in industrial and IoT devices
CISA published multiple ICS advisories warning of high-severity vulnerabilities affecting industrial/IoT products deployed in critical infrastructure environments. For **Jinan USR IOT Technology (PUSR) USR-W610** (<= `3.1.1.0`), CISA reported multiple issues (including **CVE-2026-25715**, **CVE-2026-24455**, **CVE-2026-26049**, **CVE-2026-26048**) that could allow authentication to be effectively disabled (e.g., permitting blank admin credentials over the web interface and Telnet), enable credential exposure (including administrator credentials), and cause denial-of-service; one of the cited conditions results in full administrative control for a network-adjacent attacker without valid credentials (CVSS v3.1 **9.8**). Separately, **EnOcean SmartServer IoT** (<= `4.60.009`) was reported vulnerable to **OS command execution** via crafted LON IP-852 management messages (**CVE-2026-20761**) and an additional weakness that could leak memory and help bypass mitigations such as ASLR (**CVE-2026-22885**) (CVSS v3.1 **8.1**). CISA also warned that **Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller** is affected by **CVE-2026-24790** (**missing authentication for a critical function**), where the underlying PLC can be remotely influenced without proper safeguards, creating risk of **over- or under-odorization events** (CVSS v3.1 **8.2**). In parallel reporting, a separate CISA warning covered **Honeywell CCTV** products impacted by **CVE-2026-1670** (CVSS **9.8**), where an unauthenticated API endpoint could allow an attacker to change the “forgot password” recovery email and take over accounts to access camera feeds; at the time of reporting, there were no public exploitation reports, and CISA recommended reducing exposure (e.g., isolating devices behind firewalls and using secure remote access).
Mar 21, 2026
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Mar 21, 2026