OpenPLC_V3 Flaws Expose ICS Systems to Authentication Bypass and Credential Theft
Two high-severity vulnerabilities affecting OpenPLC_V3 were disclosed in CISA ICS advisory ICSA-25-345-10, exposing industrial control environments to unauthorized access and credential compromise. CVE-2026-28205 is an insecure default initialization flaw (CWE-1188) that could allow a remote attacker to bypass authentication through an API and gain access to the system, with the CVSS v4 vector indicating network reachability, low attack complexity, and no required privileges or user interaction.
A second issue, CVE-2026-35556, involves plaintext password storage (CWE-256) in OpenPLC_V3, creating a path for attackers to recover credentials and access sensitive information. The vulnerability record also carries a network-exploitable CVSS v4 profile with low attack complexity and high potential impact to confidentiality, integrity, and availability, underscoring the risk to operators using the platform in ICS environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA advisory reference added for OpenPLC_V3 vulnerabilities
The vulnerability records included references to a CISA ICS advisory for the OpenPLC_V3 issues, including advisory ICSA-25-345-10 for CVE-2026-35556. The initial records also added severity and weakness classification details for both CVEs.
ICS-CERT receives CVE-2026-35556 report for OpenPLC_V3
A new vulnerability entry for CVE-2026-35556 was received by ICS-CERT affecting OpenPLC_V3. The vulnerability involves plaintext password storage, which could enable credential retrieval and access to sensitive information.
ICS-CERT receives CVE-2026-28205 report for OpenPLC_V3
A new vulnerability entry for CVE-2026-28205 was received by ICS-CERT at DHS affecting OpenPLC_V3. The flaw is an insecure default initialization issue that could allow authentication bypass through an API and unauthorized system access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenPLC_V3 Vulnerable to Cross-Site Request Forgery (CSRF) Attack
OpenPLC_V3 has been identified as vulnerable to a cross-site request forgery (CSRF) attack due to the lack of proper CSRF validation mechanisms. This vulnerability, tracked as CVE-2025-13970, allows an unauthenticated attacker to trick a logged-in administrator into clicking a maliciously crafted link. If successful, the attacker could alter PLC settings or upload malicious programs, potentially causing significant disruption or damage to connected industrial control systems. The vulnerability is remotely exploitable and has been assigned a CVSS v3 base score of 8.0 and a CVSS v4 base score of 7.0, indicating high severity. The affected product is OpenPLC_V3, specifically versions prior to pull request #310. The issue was reported by researchers from the University of Central Florida and is relevant to critical infrastructure sectors such as manufacturing, energy, transportation, and water systems. Organizations using OpenPLC_V3 are advised to review their deployments and apply necessary mitigations or updates to address this security risk. No specific affected product versions were listed in the CVE database at the time of publication, but the CISA advisory provides actionable details for remediation.
Mar 21, 2026
Rising ICS Vulnerability Volume and New High-Severity Advisories for Valmet and Honeywell Products
Industrial control system (ICS) vulnerability reporting hit record levels in 2025, with **508 ICS advisories** covering **2,155 CVEs** and an increasing average severity (CVSS averages exceeding **8.0** in 2024–2025), according to a Forescout report. The report highlights that **Purdue Level 1 devices** (e.g., PLCs/RTUs/IEDs) were most affected, followed by Level 3 operational systems and Level 2 control systems, with **critical manufacturing and energy** most impacted. It also flags a growing visibility gap as an increasing number of ICS vulnerabilities lack associated **CISA ICSA** publications, including changes in how some vendor advisories (e.g., Siemens) are routed. CISA published an ICS advisory for **Valmet DNA Engineering Web Tools** (<= `C2022`) describing **CVE-2025-15577**, a **high-severity path traversal** issue (CVSS 3.1 **8.6**) that could allow an **unauthenticated attacker** to manipulate a web maintenance services URL to achieve **arbitrary file read**. Separately, CISA also warned (as reported by BleepingComputer) of a **critical** authentication flaw in multiple **Honeywell CCTV** products, **CVE-2026-1670** (CVSS **9.8**), where an exposed unauthenticated API endpoint could let an attacker change the “forgot password” recovery email and potentially enable **account takeover** and **unauthorized camera feed access**; CISA reported no known public exploitation at the time and reiterated standard ICS/OT hardening guidance (reduce exposure, segment networks, and secure remote access).
Mar 21, 2026
CISA ICS advisories warn of critical authentication and RCE flaws in industrial and IoT devices
CISA published multiple ICS advisories warning of high-severity vulnerabilities affecting industrial/IoT products deployed in critical infrastructure environments. For **Jinan USR IOT Technology (PUSR) USR-W610** (<= `3.1.1.0`), CISA reported multiple issues (including **CVE-2026-25715**, **CVE-2026-24455**, **CVE-2026-26049**, **CVE-2026-26048**) that could allow authentication to be effectively disabled (e.g., permitting blank admin credentials over the web interface and Telnet), enable credential exposure (including administrator credentials), and cause denial-of-service; one of the cited conditions results in full administrative control for a network-adjacent attacker without valid credentials (CVSS v3.1 **9.8**). Separately, **EnOcean SmartServer IoT** (<= `4.60.009`) was reported vulnerable to **OS command execution** via crafted LON IP-852 management messages (**CVE-2026-20761**) and an additional weakness that could leak memory and help bypass mitigations such as ASLR (**CVE-2026-22885**) (CVSS v3.1 **8.1**). CISA also warned that **Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller** is affected by **CVE-2026-24790** (**missing authentication for a critical function**), where the underlying PLC can be remotely influenced without proper safeguards, creating risk of **over- or under-odorization events** (CVSS v3.1 **8.2**). In parallel reporting, a separate CISA warning covered **Honeywell CCTV** products impacted by **CVE-2026-1670** (CVSS **9.8**), where an unauthenticated API endpoint could allow an attacker to change the “forgot password” recovery email and take over accounts to access camera feeds; at the time of reporting, there were no public exploitation reports, and CISA recommended reducing exposure (e.g., isolating devices behind firewalls and using secure remote access).
Mar 21, 2026