Rising ICS Vulnerability Volume and New High-Severity Advisories for Valmet and Honeywell Products
Industrial control system (ICS) vulnerability reporting hit record levels in 2025, with 508 ICS advisories covering 2,155 CVEs and an increasing average severity (CVSS averages exceeding 8.0 in 2024–2025), according to a Forescout report. The report highlights that Purdue Level 1 devices (e.g., PLCs/RTUs/IEDs) were most affected, followed by Level 3 operational systems and Level 2 control systems, with critical manufacturing and energy most impacted. It also flags a growing visibility gap as an increasing number of ICS vulnerabilities lack associated CISA ICSA publications, including changes in how some vendor advisories (e.g., Siemens) are routed.
CISA published an ICS advisory for Valmet DNA Engineering Web Tools (<= C2022) describing CVE-2025-15577, a high-severity path traversal issue (CVSS 3.1 8.6) that could allow an unauthenticated attacker to manipulate a web maintenance services URL to achieve arbitrary file read. Separately, CISA also warned (as reported by BleepingComputer) of a critical authentication flaw in multiple Honeywell CCTV products, CVE-2026-1670 (CVSS 9.8), where an exposed unauthenticated API endpoint could let an attacker change the “forgot password” recovery email and potentially enable account takeover and unauthorized camera feed access; CISA reported no known public exploitation at the time and reiterated standard ICS/OT hardening guidance (reduce exposure, segment networks, and secure remote access).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Forescout reports record 2025 ICS vulnerability totals
Forescout reported that ICS security advisories surpassed 500 in 2025 for the first time, with 2,155 CVEs across 508 advisories and average severity continuing to rise. The report also highlighted reduced visibility from fewer CISA-linked advisories and called for stronger vendor accountability and patch transparency.
CISA publishes Valmet DNA Engineering Web Tools advisory
CISA released advisory ICSA-26-050-02 for Valmet DNA Engineering Web Tools, disclosing CVE-2025-15577, a high-severity path traversal flaw that can allow unauthenticated arbitrary file read. The advisory credited Denis Samotuga for reporting the issue to Valmet and stated there was no known public exploitation at publication.
CISA warns of critical Honeywell CCTV vulnerability
CISA issued an advisory for CVE-2026-1670 affecting multiple Honeywell CCTV models, warning that unauthenticated attackers could access camera feeds and hijack accounts. CISA said that as of February 17, 2026, there were no known public exploitation reports and recommended patching, network isolation, and secure remote access.
Researcher reports Honeywell CCTV auth bypass flaw
Researcher Souvik Kanda discovered and reported a critical Honeywell CCTV vulnerability, later assigned CVE-2026-1670. The flaw is a missing authentication issue in an exposed API endpoint that can let remote attackers change password recovery email settings and take over accounts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CISA urges Honeywell CCTV camera owners to patch critical vulnerability | SC Media
scworld.com
Open sourceIndustrial Control System Vulnerabilities Hit Record Highs - Infosecurity Magazine
infosecurity-magazine.com
Open sourceValmet DNA Engineering Web Tools | CISA
cisa.gov
Open sourceCritical infra Honeywell CCTVs vulnerable to auth bypass flaw
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA ICS advisories warn of critical authentication and RCE flaws in industrial and IoT devices
CISA published multiple ICS advisories warning of high-severity vulnerabilities affecting industrial/IoT products deployed in critical infrastructure environments. For **Jinan USR IOT Technology (PUSR) USR-W610** (<= `3.1.1.0`), CISA reported multiple issues (including **CVE-2026-25715**, **CVE-2026-24455**, **CVE-2026-26049**, **CVE-2026-26048**) that could allow authentication to be effectively disabled (e.g., permitting blank admin credentials over the web interface and Telnet), enable credential exposure (including administrator credentials), and cause denial-of-service; one of the cited conditions results in full administrative control for a network-adjacent attacker without valid credentials (CVSS v3.1 **9.8**). Separately, **EnOcean SmartServer IoT** (<= `4.60.009`) was reported vulnerable to **OS command execution** via crafted LON IP-852 management messages (**CVE-2026-20761**) and an additional weakness that could leak memory and help bypass mitigations such as ASLR (**CVE-2026-22885**) (CVSS v3.1 **8.1**). CISA also warned that **Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller** is affected by **CVE-2026-24790** (**missing authentication for a critical function**), where the underlying PLC can be remotely influenced without proper safeguards, creating risk of **over- or under-odorization events** (CVSS v3.1 **8.2**). In parallel reporting, a separate CISA warning covered **Honeywell CCTV** products impacted by **CVE-2026-1670** (CVSS **9.8**), where an unauthenticated API endpoint could allow an attacker to change the “forgot password” recovery email and take over accounts to access camera feeds; at the time of reporting, there were no public exploitation reports, and CISA recommended reducing exposure (e.g., isolating devices behind firewalls and using secure remote access).
Mar 21, 2026
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Mar 21, 2026
CISA Releases Multiple ICS Vulnerability Advisories
The Cybersecurity and Infrastructure Security Agency (CISA) released a coordinated set of 18 Industrial Control Systems (ICS) advisories, detailing newly discovered vulnerabilities across a range of products from vendors such as Siemens, Mitsubishi Electric, AVEVA, Brightpick AI, and General Industrial Controls. These advisories highlight critical and high-severity issues including improper authentication, buffer overflows, weak cryptography, DLL hijacking, and improper certificate validation, many of which are remotely exploitable and could lead to code execution, privilege escalation, denial-of-service, or unauthorized access to sensitive systems. Affected products span widely used ICS components such as Siemens LOGO! 8 BM Devices, AVEVA Edge, Brightpick Mission Control, and General Industrial Controls Lynx+ Gateway, with several vulnerabilities assigned CVSS v4 scores above 8, indicating significant risk to industrial environments. CISA urges organizations to review the technical details and apply mitigations as recommended in the advisories to reduce exposure to these threats. The advisories provide actionable intelligence for asset owners and operators, including lists of affected product versions, vulnerability descriptions, and remediation steps. This coordinated disclosure underscores the ongoing targeting of ICS environments and the need for timely patching and robust security practices to protect critical infrastructure from exploitation.
Mar 21, 2026