Black Hat USA

Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error.
"No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said in a statement shared with CNBC News. "This was a release packaging issue caused by human error, not a security

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

The NPM package for Axios, a popular JavaScript HTTP client library, was briefly compromised this week, possibly by North Korean threat actors.

Axios NPM Package Compromised in Precision Attack

Palo Alto researchers show how attackers could exploit AI agents on Google's Vertex AI to steal data and break into restricted cloud infrastructure.

Google's Vertex AI Has an Over-Privileged Problem

The threat group's shift to speedy attacks on AWS, Azure, and SaaS instances shows organizations need to respond quickly to compromised credentials.

TeamPCP Breaches Cloud, SaaS Instances With Stolen Credentials

Google on Monday said it's officially rolling out Android developer verification to all developers to combat the problem of bad actors distributing harmful apps while "hiding behind anonymity."
The development comes ahead of a planned verification mandate that goes into effect in Brazil, Indonesia, Singapore, and Thailand this September, before it expands globally next year.
As part of this

Android Developer Verification Rollout Begins Ahead of September Enforcement

A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos.
The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update,

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

Intruder's Chris Wallis argues mid-market teams should prioritize CVE remediation speed over vulnerability counts, while expanding defenses beyond CVEs to include attack surface management.

Rethinking Vulnerability Management Strategies for Mid-Market Security

In a conversation with Dark Reading’s Terry Sweeney, DigiCert CEO Amit Sinha explains how AI-driven identities and quantum threats are reshaping the foundations of digital trust.

AI and Quantum Are Forcing a Rethink of Digital Trust

Iranian APTs are blurring the lines between state-sponsored and cybercriminal activities to target high-impact US organizations.

Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations

Cybersecurity researchers have disclosed a security "blind spot" in Google Cloud's Vertex AI platform that could allow artificial intelligence (AI) agents to be weaponized by an attacker to gain unauthorized access to sensitive data and compromise an organization's cloud environment.
According to Palo Alto Networks Unit 42, the issue relates to how the Vertex AI permission model can be misused

Vertex AI Vulnerability Exposes Google Cloud Data and Private Artifacts

The NCSC has issued actions for individuals at risk of targeted attacks against messaging apps.

NCSC warns of messaging app targeting

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-01.json"><strong>View CSAF</strong></a></p>
<h2>Summary</h2>
<p><strong>Successful exploitation of this vulnerability could allow attackers with network access to alter operational settings, obtain sensitive signal data, or disrupt device availability.</strong></p>
<p>The following versions of Anritsu Remote Spectrum Monitor are affected:</p>
<ul>
<li>Remote Spectrum Monitor MS27100A vers:all/* (CVE-2026-3356)</li>
<li>Remote Spectrum Monitor MS27101A vers:all/* (CVE-2026-3356)</li>
<li>Remote Spectrum Monitor MS27102A vers:all/* (CVE-2026-3356)</li>
<li>Remote Spectrum Monitor MS27103A vers:all/* (CVE-2026-3356)</li>
</ul>
<div class="csaf-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS</th>
<th role="columnheader">Vendor</th>
<th role="columnheader">Equipment</th>
<th role="columnheader">Vulnerabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>v3 9.8</td>
<td>Anritsu</td>
<td>Anritsu Remote Spectrum Monitor</td>
<td>Missing Authentication for Critical Function</td>
</tr>
</tbody>
</table>
</div>
<h3>Background</h3>
<ul>
<li><strong>Critical Infrastructure Sectors: </strong>Communications, Defense Industrial Base, Emergency Services, Transportation Systems</li>
<li><strong>Countries/Areas Deployed: </strong>Worldwide</li>
<li><strong>Company Headquarters Location: </strong>Japan</li>
</ul>
<hr>
<h2>Vulnerabilities</h2>
<div class="csaf-accordion">
<p><a class="csaf-accordion-toggle-all" href="#">Expand All +</a></p>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2026-3356</a></h3>
<div class="csaf-accordion-content">
<p>The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2026-3356">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>Anritsu Remote Spectrum Monitor</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>Anritsu</div>
<div class="ics-version"><strong>Product Version:</strong><br>Anritsu Remote Spectrum Monitor MS27100A: vers:all/*, Anritsu Remote Spectrum Monitor MS27101A: vers:all/*, Anritsu Remote Spectrum Monitor MS27102A: vers:all/*, Anritsu Remote Spectrum Monitor MS27103A: vers:all/*</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Mitigation</strong><br>Anritsu has no plans to fix this issue. Anritsu recommends that users deploy Remote Spectrum Monitor within secure network environments to mitigate potential risks.</p>
<p><strong>Mitigation</strong><br>Users can contact Anritsu Technical Support (1-800-267-4878) for more information.</p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/306.html">CWE-306 Missing Authentication for Critical Function</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>9.8</td>
<td>CRITICAL</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<hr>
<h2>Acknowledgments</h2>
<ul>
<li>Souvik Kandar reported this vulnerability to CISA</li>
</ul>
<hr>
<h2>Legal Notice and Terms of Use</h2>
<p>This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy &amp; Use policy (https://www.cisa.gov/privacy-policy).</p>
<hr>
<h2>Recommended Practices</h2>
<p>CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.</p>
<p>Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.</p>
<p>Locate control system networks and remote devices behind firewalls and isolating them from business networks.</p>
<p>When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.</p>
<p>CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.</p>
<p>CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.</p>
<p>CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.</p>
<p>Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.</p>
<p>Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.</p>
<p>No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.</p>
<hr>
<h2>Revision History</h2>
<ul>
<li><strong>Initial Release Date: </strong>2026-03-31</li>
</ul>
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">Date</th>
<th role="columnheader">Revision</th>
<th role="columnheader">Summary</th>
</tr>
</thead>
<tbody>
<tr>
<td>2026-03-31</td>
<td>1</td>
<td>Initial Publication</td>
</tr>
</tbody>
</table>
<hr>
<h2>Legal Notice and Terms of Use</h2>


View CSAF
Summary
Successful exploitation of this vulnerability could allow attackers with network access to alter operational settings, obtain sensitive signal data, or disrupt device availability.
The following versions of Anritsu Remote Spectrum Monitor are affected:
Remote Spectrum Monitor MS27100A vers:all/* (CVE-2026-3356)
Remote Spectrum Monitor MS27101A vers:all/* (CVE-2026-3356)
Remote Spectrum Monitor MS27102A vers:all/* (CVE-2026-3356)
Remote Spectrum Monitor MS27103A vers:all/* (CVE-2026-3356)
CVSS
Vendor
Equipment
Vulnerabilities




v3 9.8
Anritsu
Anritsu Remote Spectrum Monitor
Missing Authentication for Critical Function




Background
Critical Infrastructure Sectors: Communications, Defense Industrial Base, Emergency Services, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Japan
Vulnerabilities
Expand All +
CVE-2026-3356
The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error.
View CVE Details
Affected Products
Anritsu Remote Spectrum Monitor
Vendor:
Anritsu
Product Version:
Anritsu Remote Spectrum Monitor MS27100A: vers:all/*, Anritsu Remote Spectrum Monitor MS27101A: vers:all/*, Anritsu Remote Spectrum Monitor MS27102A: vers:all/*, Anritsu Remote Spectrum Monitor MS27103A: vers:all/*
Product Status:
known_affected
Remediations
Mitigation
Anritsu has no plans to fix this issue. Anritsu recommends that users deploy Remote Spectrum Monitor within secure network environments to mitigate potential risks.
Mitigation
Users can contact Anritsu Technical Support (1-800-267-4878) for more information.
Relevant CWE: CWE-306 Missing Authentication for Critical Function
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H








Acknowledgments
Souvik Kandar reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Revision History
Initial Release Date: 2026-03-31
Date
Revision
Summary




2026-03-31
1
Initial Publication




Legal Notice and Terms of Use

Anritsu Remote Spectrum Monitor

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-090-02.json"><strong>View CSAF</strong></a></p>
<h2>Summary</h2>
<p><strong>Successful exploitation of this vulnerability could allow an attacker with access to the MAVLink interface to execute arbitrary shell commands without cryptographic authentication.</strong></p>
<p>The following versions of PX4 Autopilot are affected:</p>
<ul>
<li>Autopilot v1.16.0_SITL_latest_stable (CVE-2026-1579)</li>
</ul>
<div class="csaf-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS</th>
<th role="columnheader">Vendor</th>
<th role="columnheader">Equipment</th>
<th role="columnheader">Vulnerabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>v3 9.8</td>
<td>PX4</td>
<td>PX4 Autopilot</td>
<td>Missing Authentication for Critical Function</td>
</tr>
</tbody>
</table>
</div>
<h3>Background</h3>
<ul>
<li><strong>Critical Infrastructure Sectors: </strong>Transportation Systems, Emergency Services, Defense Industrial Base</li>
<li><strong>Countries/Areas Deployed: </strong>Worldwide</li>
<li><strong>Company Headquarters Location: </strong>Switzerland</li>
</ul>
<hr>
<h2>Vulnerabilities</h2>
<div class="csaf-accordion">
<p><a class="csaf-accordion-toggle-all" href="#">Expand All +</a></p>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2026-1579</a></h3>
<div class="csaf-accordion-content">
<p>The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2026-1579">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>PX4 Autopilot</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>PX4</div>
<div class="ics-version"><strong>Product Version:</strong><br>PX4 Autopilot: v1.16.0_SITL_latest_stable</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Mitigation</strong><br>PX4 recommends enabling MAVLink 2.0 message signing as the authentication mechanism for all non‑USB communication links. PX4 has published a security hardening guide for integrators and manufacturers at https://docs.px4.io/main/en/mavlink/security_hardening.<br><a href="https://docs.px4.io/main/en/mavlink/security_hardening">https://docs.px4.io/main/en/mavlink/security_hardening</a></p>
<p><strong>Mitigation</strong><br>Message signing configuration documentation can be found at https://docs.px4.io/main/en/mavlink/message_signing.<br><a href="https://docs.px4.io/main/en/mavlink/message_signing">https://docs.px4.io/main/en/mavlink/message_signing</a></p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/306.html">CWE-306 Missing Authentication for Critical Function</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>9.8</td>
<td>CRITICAL</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<hr>
<h2>Acknowledgments</h2>
<ul>
<li>Dolev Aviv of Cyviation reported this vulnerability to CISA</li>
</ul>
<hr>
<h2>Legal Notice and Terms of Use</h2>
<p>This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy &amp; Use policy (https://www.cisa.gov/privacy-policy).</p>
<hr>
<h2>Recommended Practices</h2>
<p>CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.</p>
<p>Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.</p>
<p>Locate control system networks and remote devices behind firewalls and isolating them from business networks.</p>
<p>When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.</p>
<p>CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.</p>
<p>CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.</p>
<p>CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.</p>
<p>Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.</p>
<p>Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.</p>
<p>CISA also recommends users take the following measures to protect themselves from social engineering attacks:</p>
<p>Do not click web links or open attachments in unsolicited email messages.</p>
<p>Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.</p>
<p>Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.</p>
<p>No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.</p>
<hr>
<h2>Revision History</h2>
<ul>
<li><strong>Initial Release Date: </strong>2026-03-31</li>
</ul>
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">Date</th>
<th role="columnheader">Revision</th>
<th role="columnheader">Summary</th>
</tr>
</thead>
<tbody>
<tr>
<td>2026-03-31</td>
<td>1</td>
<td>Initial Publication</td>
</tr>
</tbody>
</table>
<hr>
<h2>Legal Notice and Terms of Use</h2>


View CSAF
Summary
Successful exploitation of this vulnerability could allow an attacker with access to the MAVLink interface to execute arbitrary shell commands without cryptographic authentication.
The following versions of PX4 Autopilot are affected:
Autopilot v1.16.0_SITL_latest_stable (CVE-2026-1579)
CVSS
Vendor
Equipment
Vulnerabilities




v3 9.8
PX4
PX4 Autopilot
Missing Authentication for Critical Function




Background
Critical Infrastructure Sectors: Transportation Systems, Emergency Services, Defense Industrial Base
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Switzerland
Vulnerabilities
Expand All +
CVE-2026-1579
The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink interface. PX4 provides MAVLink 2.0 message signing as the cryptographic authentication mechanism for all MAVLink communication. When signing is enabled, unsigned messages are rejected at the protocol level.
View CVE Details
Affected Products
PX4 Autopilot
Vendor:
PX4
Product Version:
PX4 Autopilot: v1.16.0_SITL_latest_stable
Product Status:
known_affected
Remediations
Mitigation
PX4 recommends enabling MAVLink 2.0 message signing as the authentication mechanism for all non‑USB communication links. PX4 has published a security hardening guide for integrators and manufacturers at https://docs.px4.io/main/en/mavlink/security_hardening.
https://docs.px4.io/main/en/mavlink/security_hardening
Mitigation
Message signing configuration documentation can be found at https://docs.px4.io/main/en/mavlink/message_signing.
https://docs.px4.io/main/en/mavlink/message_signing
Relevant CWE: CWE-306 Missing Authentication for Critical Function
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H








Acknowledgments
Dolev Aviv of Cyviation reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Revision History
Initial Release Date: 2026-03-31
Date
Revision
Summary




2026-03-31
1
Initial Publication




Legal Notice and Terms of Use

PX4 Autopilot

The cybersecurity landscape is accelerating at an unprecedented rate. What is emerging is not simply a rise in the number of vulnerabilities or tools, but a dramatic increase in speed. Speed of attack, speed of exploitation, and speed of change across modern environments.
This is the defining challenge of the new era of digital warfare: the weaponization of Artificial Intelligence. Threat actors

The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority

Chinese-speaking users are the target of an active campaign that uses typosquatted domains impersonating trusted software brands to deliver a previously undocumented remote access trojan named AtlasCross RAT.
"The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating

Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT and Fake Domains

The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency that delivers a trojan capable of targeting Windows, macOS, and Linux systems.
Versions 1.14.1 and 0.30.4 of Axios have been found to inject "plain-crypto-js" version 4.2.1 as a fake dependency.
According to StepSecurity, the two

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

The massive amount of junk code that hides the malware's logic from security scans was almost certainly generated by AI, researchers say.

AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection

In a conversation with Dark Reading’s Terry Sweeney, Black Duck CEO Jason Schmitt explains how AI is reshaping application security and why it must evolve to keep pace.

AI-Driven Code Surge Is Forcing a Rethink of AppSec

CVE-2025-53521 was initially disclosed in October as a high-severity denial-of-service (DoS) flaw, but new information has revealed the bug is actually much more dangerous.

F5 BIG-IP Vulnerability Reclassified as RCE, Under Exploitation

A previously unknown vulnerability in OpenAI ChatGPT allowed sensitive conversation data to be exfiltrated without user knowledge or consent, according to new findings from Check Point.
"A single malicious prompt could turn an otherwise ordinary conversation into a covert exfiltration channel, leaking user messages, uploaded files, and other sensitive content," the cybersecurity company said in

OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability

The two key economic sectors struggle with security for a reason: Many insiders view access management as a roadblock, while attackers see it as a way in.

Manufacturing and Healthcare Share Struggles with Passwords

A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad.
"It likely uses AI-assisted obfuscation and process injection to evade static scanning, while credential theft starts immediately and captures passwords and sessions even if the primary loader is blocked," ReliaQuest researchers Thassanai

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

The vulnerability, which is allegedly triggered by a corrupted sticker in the messaging app, received a 9.8 CVSS score, but Telegram denies it exists.

Storm Brews Over Critical, No-Click Telegram Flaw

Some weeks are loud. This one was quieter but not in a good way. Long-running operations are finally hitting courtrooms, old attack methods are showing up in new places, and research that stopped being theoretical right around the time defenders stopped paying attention.
There's a bit of everything this week. Persistence plays, legal wins, influence ops, and at least one thing that looks boring

⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More

What is really slowing Tier 1 down: the threat itself or the process around it? In many SOCs, the biggest delays do not come from the threat alone. They come from fragmented workflows, manual triage steps, and limited visibility early in the investigation. Fixing those process gaps can help Tier 1 move faster, reduce unnecessary escalations, and improve how the entire SOC responds under pressure

3 SOC Process Fixes That Unlock Tier 1 Productivity

Cybersecurity researchers have discovered a remote access toolkit of Russian-origin that's distributed via malicious Windows shortcut (LNK) files that are disguised as private key folders.
The CTRL toolkit, according to Censys, is custom-built using .NET and includes various executables" to facilitate credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling

Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels

The NCSC is encouraging UK organisations to mitigate an unauthenticated remote code execution vulnerability affecting F5 BIG-IP Access Policy Manager.

Vulnerability affecting F5 BIG-IP APM

Understanding the threats and staying ahead of the adversary

Why cyber defenders need to be ready for frontier AI

<p>CISA has added one new vulnerability to its <a href="/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.</p>
<ul>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2026-3055" target="_blank">CVE-2026-3055</a> Citrix NetScaler Out-of-Bounds Read Vulnerability</li>
</ul>
<p>This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.</p>
<p><a href="https://www.cisa.gov/binding-operational-directive-22-01">Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities</a> established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the <a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf">BOD 22-01 Fact Sheet</a> for more information.</p>
<p>Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of <a href="/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">KEV Catalog vulnerabilities</a> as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the <a href="/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities">specified criteria</a>.&nbsp;</p>


CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-3055 Citrix NetScaler Out-of-Bounds Read Vulnerability
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA Adds One Known Exploited Vulnerability to Catalog

Secrets sprawl isn't slowing down: in 2025, it accelerated faster than most security teams anticipated. GitGuardian's State of Secrets Sprawl 2026 report analyzed billions of commits across public GitHub and uncovered 29 million new hardcoded secrets in 2025 alone, a 34% increase year over year and the largest single-year jump ever recorded.
This year's findings reveal three core trends: AI has

The State of Secrets Sprawl 2026: 9 Takeaways for CISOs

Three threat activity clusters aligned with China have targeted a government organization in Southeast Asia as part of what has been described as a "complex and well-resourced operation."
The campaigns have led to the deployment of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD, EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL

Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

Threat actors with ties to Iran successfully broke into the personal email account of Kash Patel, the director of the U.S. Federal Bureau of Investigation (FBI), and leaked a cache of photos and other documents to the internet.
Handala Hack Team, which carried out the breach, said on its website that Patel "will now find his name among the list of successfully hacked victims." In a statement

Iran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack

A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr.
The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information.
Per

Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug

Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices.
The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the broader cybersecurity community under the monikers Callisto,

TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2025-53521 (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution.
"When a

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

Apple is now sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urge them to install the update.
The development was first reported by MacRumors.
"Apple is aware of attacks targeting out-of-date iOS software, including the version on your iPhone. Install this critical update to protect your iPhone," the

Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits

TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx Python package by pushing two malicious versions to steal sensitive data.
The two versions, 4.87.1 and 4.87.2, published to the Python Package Index (PyPI) repository on March 27, 2026, concealed their credential harvesting capabilities within a .WAV file. Users are

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

Chinese APT Red Menshen's super-advanced BPFdoor malware defeats traditional cybersecurity protections. All telcos can do, really, is try hunting it down.

China Upgrades the Backdoor It Uses to Spy on Telcos Globally

The list of countries exploiting Internet-connected cameras to give them eyes inside their adversaries' borders continues to expand. What should companies look out for?

Wartime Usage of Compromised IP Cameras Highlight Their Danger

Cybersecurity researchers have disclosed details of a now-patched bug impacting Open VSX's pre-publish scanning pipeline to cause the tool to allow a malicious Microsoft Visual Studio Code (VS Code) extension to pass the vetting process and go live in the registry.
"The pipeline had a single boolean return value that meant both 'no scanners are configured' and 'all scanners failed to run,'" Koi

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Operational technology (OT) at industrial and critical infrastructure sites seem to have been benefitting from a lull in ransomware, and hackers' relative ignorance of OT systems.

Infrastructure Attacks With Physical Consequences Down 25%

The post-quantum future may be coming sooner than you think, as Google plans to have PQC migration in place by 2029.

Google Sets 2029 Deadline for Quantum-Safe Cryptography

Threat actors are using adversary-in-the-middle (AitM) phishing pages to seize control of TikTok for Business accounts in a new campaign, according to a report from Push Security.
Business accounts associated with social media platforms are a lucrative target, as they can be weaponized by bad actors for malvertising and distributing malware.
"TikTok has been historically abused to distribute

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

<p>CISA has added one new vulnerability to its <a href="/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.</p>
<ul>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2025-53521" target="_blank">CVE-2025-53521</a> F5 BIG-IP Remote Code Execution Vulnerability</li>
</ul>
<p>This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.</p>
<p><a href="https://www.cisa.gov/binding-operational-directive-22-01">Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities</a> established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the <a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf">BOD 22-01 Fact Sheet</a> for more information.</p>
<p>Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of <a href="/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">KEV Catalog vulnerabilities</a> as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the <a href="/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities">specified criteria</a>.&nbsp;</p>


CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-53521 F5 BIG-IP Remote Code Execution Vulnerability
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Rising geopolitical tensions are reflected (or in some cases preceded) by cyber operations, while technology itself has become politicized. Let’s admit it: we are in the middle of it.&nbsp;
Introduction: One tech power to rule them all is a thing of the past&nbsp;
The relative safety, peace and prosperity that much of the world has enjoyed since 1945 was not accidental. It emerged from the ashes

Rising geopolitical tensions are reflected (or in some cases preceded) by cyber operations, while technology itself has become politicized. Let’s admit it: we are in the middle of it. 
Introduction: One tech power to rule them all is a thing of the past 
The relative safety, peace and prosperity that much of the world has enjoyed since 1945 was not accidental. It emerged from the ashes

We Are At War

A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker.
"Bearlyfy (also known as Labubu) operates as a dual-purpose group aimed at inflicting maximum damage upon Russian businesses;

Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware

Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history.
Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of

LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks

Nation-state malware is being sold on the Dark Web and leaked to GitHub; and ordinary organizations might not stand much of a chance of defending themselves.

Coruna, DarkSword &amp; Democratizing Nation-State Exploit Kits

The agency put foreign-made consumer routers on its list of prohibited communications devices, but the ban could create more problems down the road.

Is the FCC's Router Ban the Wrong Fix?

More than a decade since the 2015 Jeep hack, the cybersecurity of vehicles remains of the utmost importance.

Automotive Cybersecurity Threats Grow in Era of Connected, Autonomous Vehicles

Threats actors pounced on the code injection vulnerability within hours of its disclosure, demonstrating that organizations have little time to address critical bugs.

Critical Flaw in Langflow AI Platform Under Attack

A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.
The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster that's also tracked as Earth Bluecrow,

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks

Organizations repeatedly expose ports, reuse passwords, and skip patches, creating security gaps that attackers exploit for breaches. An industry veteran outlines ways to fix these common mistakes.

How Organizations Can Use Mistakes to Level Up Their Security Programs

AI models often hallucinate or make costly mistakes when tasked with recommending software versions, upgrade paths, and security fixes — leading to significant technical debt.

AI-Powered Dependency Decisions Introduce, Ignore Security Bugs

Most teams have security tools in place. Alerts are firing, dashboards look clean, threat intel is flowing in. On the surface, everything feels under control.
But one question usually stays unanswered: Would your defenses actually stop a real attack?
That’s where things get shaky. A control exists, so it’s assumed to work. A detection rule is active, so it’s expected to catch something. But very

[Webinar] Stop Guessing. Learn to Validate Your Defenses Against Real Attacks

Cybersecurity researchers have disclosed a vulnerability in Anthropic's Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page.
The flaw "allowed any website to silently inject prompts into that assistant as if the user wrote them," Koi Security researcher Oren Yomtov said in a report shared with The Hacker News. "No clicks, no

Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website

Third-party resellers and brokers foil transparency efforts and allow spyware to spread despite government restrictions, a study finds.

Intermediaries Driving Global Spyware Market Expansion

<p>CISA has added one new vulnerability to its <a href="/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.</p>
<ul>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2026-33634" target="_blank">CVE-2026-33634</a> Aqua Security Trivy Embedded Malicious Code Vulnerability</li>
</ul>
<p>This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.</p>
<p><a href="https://www.cisa.gov/binding-operational-directive-22-01">Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities</a> established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the <a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf">BOD 22-01 Fact Sheet</a> for more information.</p>
<p>Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of <a href="/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">KEV Catalog vulnerabilities</a> as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the <a href="/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities">specified criteria</a>.&nbsp;</p>


CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-33634 Aqua Security Trivy Embedded Malicious Code Vulnerability
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-085-02.json"><strong>View CSAF</strong></a></p>
<h2>Summary</h2>
<p><strong>Successful exploitation of this vulnerability could allow an authenticated low-privileged user to gain access to SMS messages outside of their authorized tenant scope via a crafted company or tenant identifier parameter.</strong></p>
<p>The following versions of OpenCode Systems OC Messaging and USSD Gateway are affected:</p>
<ul>
<li>OC Messaging 6.32.2 (CVE-2025-70614)</li>
<li>USSD Gateway 6.32.2 (CVE-2025-70614)</li>
</ul>
<div class="csaf-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS</th>
<th role="columnheader">Vendor</th>
<th role="columnheader">Equipment</th>
<th role="columnheader">Vulnerabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>v3 8.1</td>
<td>OpenCode Systems</td>
<td>OpenCode Systems OC Messaging and USSD Gateway</td>
<td>Improper Access Control</td>
</tr>
</tbody>
</table>
</div>
<h3>Background</h3>
<ul>
<li><strong>Critical Infrastructure Sectors: </strong>Communications</li>
<li><strong>Countries/Areas Deployed: </strong>Worldwide</li>
<li><strong>Company Headquarters Location: </strong>Bulgaria</li>
</ul>
<hr>
<h2>Vulnerabilities</h2>
<div class="csaf-accordion">
<p><a class="csaf-accordion-toggle-all" href="#">Expand All +</a></p>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2025-70614</a></h3>
<div class="csaf-accordion-content">
<p>OpenCode Systems Custom Messaging Gateway 6.32.2 contains a web access vulnerability allowing one authenticated user to gain access to another authenticated user's messages via a crafted identifier parameter.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2025-70614">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>OpenCode Systems OC Messaging and USSD Gateway</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>OpenCode Systems</div>
<div class="ics-version"><strong>Product Version:</strong><br>OpenCode Systems OC Messaging: 6.32.2, OpenCode Systems USSD Gateway: 6.32.2</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Mitigation</strong><br>The vulnerability was identified by OpenCode Systems on January 5, 2026 and remediated on January 6, 2026 with the release of version 6.33.11.</p>
<p><strong>Mitigation</strong><br>For more information, contact OpenCode: https://opencode.com/about/contact-us<br><a href="https://opencode.com/about/contact-us">https://opencode.com/about/contact-us</a></p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/284.html">CWE-284 Improper Access Control</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>8.1</td>
<td>HIGH</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<hr>
<h2>Acknowledgments</h2>
<ul>
<li>Hussein Amer reported this vulnerability to CISA</li>
</ul>
<hr>
<h2>Legal Notice and Terms of Use</h2>
<p>This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy &amp; Use policy (https://www.cisa.gov/privacy-policy).</p>
<hr>
<h2>Recommended Practices</h2>
<p>CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.</p>
<p>Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.</p>
<p>Locate control system networks and remote devices behind firewalls and isolating them from business networks.</p>
<p>When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.</p>
<p>CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.</p>
<p>CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.</p>
<p>CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.</p>
<p>Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.</p>
<p>Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.</p>
<p>CISA also recommends users take the following measures to protect themselves from social engineering attacks:</p>
<p>Do not click web links or open attachments in unsolicited email messages.</p>
<p>Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.</p>
<p>Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.</p>
<p>No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.</p>
<hr>
<h2>Revision History</h2>
<ul>
<li><strong>Initial Release Date: </strong>2026-03-26</li>
</ul>
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">Date</th>
<th role="columnheader">Revision</th>
<th role="columnheader">Summary</th>
</tr>
</thead>
<tbody>
<tr>
<td>2026-03-26</td>
<td>1</td>
<td>Initial Publication</td>
</tr>
</tbody>
</table>
<hr>
<h2>Legal Notice and Terms of Use</h2>


View CSAF
Summary
Successful exploitation of this vulnerability could allow an authenticated low-privileged user to gain access to SMS messages outside of their authorized tenant scope via a crafted company or tenant identifier parameter.
The following versions of OpenCode Systems OC Messaging and USSD Gateway are affected:
OC Messaging 6.32.2 (CVE-2025-70614)
USSD Gateway 6.32.2 (CVE-2025-70614)
CVSS
Vendor
Equipment
Vulnerabilities




v3 8.1
OpenCode Systems
OpenCode Systems OC Messaging and USSD Gateway
Improper Access Control




Background
Critical Infrastructure Sectors: Communications
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Bulgaria
Vulnerabilities
Expand All +
CVE-2025-70614
OpenCode Systems Custom Messaging Gateway 6.32.2 contains a web access vulnerability allowing one authenticated user to gain access to another authenticated user's messages via a crafted identifier parameter.
View CVE Details
Affected Products
OpenCode Systems OC Messaging and USSD Gateway
Vendor:
OpenCode Systems
Product Version:
OpenCode Systems OC Messaging: 6.32.2, OpenCode Systems USSD Gateway: 6.32.2
Product Status:
known_affected
Remediations
Mitigation
The vulnerability was identified by OpenCode Systems on January 5, 2026 and remediated on January 6, 2026 with the release of version 6.33.11.
Mitigation
For more information, contact OpenCode: https://opencode.com/about/contact-us
https://opencode.com/about/contact-us
Relevant CWE: CWE-284 Improper Access Control
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
8.1
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N








Acknowledgments
Hussein Amer reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Revision History
Initial Release Date: 2026-03-26
Date
Revision
Summary




2026-03-26
1
Initial Publication




Legal Notice and Terms of Use

OpenCode Systems OC Messaging and USSD Gateway

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-085-01.json"><strong>View CSAF</strong></a></p>
<h2>Summary</h2>
<p><strong>An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device.</strong></p>
<p>The following versions of WAGO GmbH &amp; Co. KG Industrial Managed Switches are affected:</p>
<ul>
<li>WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1812 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1813 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.3.S0 WAGO_Hardware_852-1813/000-001 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1816 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.8.S0 WAGO_Hardware_852-303 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1305 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1305/000-001 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1505/000-001 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.1.9.S0 WAGO_Hardware_852-1505 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.0.6.S0 WAGO_Hardware_852-602 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.0.6.S0 WAGO_Hardware_852-603 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.5.S0 WAGO_Hardware_852-1605 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1812/010-000 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1813/010-000 (CVE-2026-3587)</li>
<li>WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1816/010-000 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.0.6.S0 WAGO_Hardware_852-602 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.0.6.S0 WAGO_Hardware_852-603 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.1.9.S0 WAGO_Hardware_852-1505 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1305 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1305/000-001 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1505/000-001 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1812 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1816 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1812/010-000 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813/010-000 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1816/010-000 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.3.S0 WAGO_Hardware_852-1813/000-001 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.5.S0 WAGO_Hardware_852-1605 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.8.S0 WAGO_Hardware_852-303 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813/010-001 (CVE-2026-3587)</li>
<li>WAGO Firmware version V1.2.1.S1 WAGO_Hardware_852-1813/010-001 (CVE-2026-3587)</li>
</ul>
<div class="csaf-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS</th>
<th role="columnheader">Vendor</th>
<th role="columnheader">Equipment</th>
<th role="columnheader">Vulnerabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>v3 10</td>
<td>WAGO</td>
<td>WAGO GmbH &amp; Co. KG Industrial Managed Switches</td>
<td>Hidden Functionality</td>
</tr>
</tbody>
</table>
</div>
<h3>Background</h3>
<ul>
<li><strong>Critical Infrastructure Sectors: </strong>Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems</li>
<li><strong>Countries/Areas Deployed: </strong>Worldwide</li>
<li><strong>Company Headquarters Location: </strong>Germany</li>
</ul>
<hr>
<h2>Vulnerabilities</h2>
<div class="csaf-accordion">
<p><a class="csaf-accordion-toggle-all" href="#">Expand All +</a></p>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2026-3587</a></h3>
<div class="csaf-accordion-content">
<p>An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2026-3587">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>WAGO GmbH &amp; Co. KG Industrial Managed Switches</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>WAGO</div>
<div class="ics-version"><strong>Product Version:</strong><br>WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1812, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1813, WAGO WAGO Firmware versions prior to V1.2.3.S0: WAGO_Hardware_852-1813/000-001, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1816, WAGO WAGO Firmware versions prior to V1.2.8.S0: WAGO_Hardware_852-303, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1305, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1305/000-001, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1505/000-001, WAGO WAGO Firmware versions prior to V1.1.9.S0: WAGO_Hardware_852-1505, WAGO WAGO Firmware versions prior to V1.0.6.S0: WAGO_Hardware_852-602, WAGO WAGO Firmware versions prior to V1.0.6.S0: WAGO_Hardware_852-603, WAGO WAGO Firmware versions prior to V1.2.5.S0: WAGO_Hardware_852-1605, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1812/010-000, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1813/010-000, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1816/010-000, WAGO WAGO Firmware version V1.0.6.S0: WAGO_Hardware_852-602, WAGO WAGO Firmware version V1.0.6.S0: WAGO_Hardware_852-603, WAGO WAGO Firmware version V1.1.9.S0: WAGO_Hardware_852-1505, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1305, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1305/000-001, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1505/000-001, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1812, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1816, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1812/010-000, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813/010-000, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1816/010-000, WAGO WAGO Firmware version V1.2.3.S0: WAGO_Hardware_852-1813/000-001, WAGO WAGO Firmware version V1.2.5.S0: WAGO_Hardware_852-1605, WAGO WAGO Firmware version V1.2.8.S0: WAGO_Hardware_852-303, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813/010-001, WAGO WAGO Firmware version V1.2.1.S1: WAGO_Hardware_852-1813/010-001</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Mitigation</strong><br>WAGO has identified the following specific workarounds and mitigations users can apply to reduce risk: Product Group: WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1813/010-001, WAGO Firmware installed on WAGO Hardware 852-1813/010-001): Please update your devices to the specified fixed Firmware version.</p>
<p><strong>Mitigation</strong><br>Lean Managed Switch 852-1812, Lean Managed Switch 852-1813, Lean Managed Switch 852-1813/000-001, Lean Managed Switch 852-1816, Lean Managed Switch 852-1812/010-000, Lean Managed Switch 852-1813/010-000, Lean Managed Switch 852-1816/010-000, Lean Managed Switch 852-1813/010-001: To eliminate the attack vector deactivate ssh and telnet on the device.</p>
<p><strong>Mitigation</strong><br>Industrial Managed Switch 852-303, Industrial Managed Switch 852-1305, Industrial Managed Switch 852-1305/000-001, Industrial Managed Switch 852-1505/000-001, Industrial Managed Switch 852-1505, Industrial Managed Switch 852-602, Industrial Managed Switch 852-603, Industrial Managed Switch 852-1605: To reduce the attack vector deactivate ssh and telnet on the devices. This ensures that the CLI is only accessible locally via RS232.</p>
<p><strong>Mitigation</strong><br>The following product versions have been fixed: Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.3.S1 installed on Lean Managed Switch 852-1813/000-001 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.8.S1 installed on Industrial Managed Switch 852-303 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305/000-001 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1505/000-001 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.1.9.S1 installed on Industrial Managed Switch 852-1505 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-602 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-603 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.5.S1 installed on Industrial Managed Switch 852-1605 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812/010-000 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-000 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816/010-000 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-001 are fixed versions for CVE-2026-3587</p>
<p><strong>Mitigation</strong><br>For more information see the associated WAGO GmbH &amp; Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json.<br><a href="https://www.wago.com/de-en/automation-technology/psirt">https://www.wago.com/de-en/automation-technology/psirt</a></p>
<p><strong>Mitigation</strong><br>For more information see the associated WAGO GmbH &amp; Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json.<br><a href="https://certvde.com/en/advisories/VDE-2026-020">https://certvde.com/en/advisories/VDE-2026-020</a></p>
<p><strong>Mitigation</strong><br>For more information see the associated WAGO GmbH &amp; Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json.<br><a href="https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json">https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json</a></p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/912.html">CWE-912 Hidden Functionality</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>10</td>
<td>CRITICAL</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<hr>
<h2>Acknowledgments</h2>
<ul>
<li>CERT@VDE coordination reported this vulnerability to CISA</li>
</ul>
<hr>
<h2>Legal Notice and Terms of Use</h2>
<p>This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy &amp; Use policy (https://www.cisa.gov/privacy-policy).</p>
<hr>
<h2>Recommended Practices</h2>
<p>CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.</p>
<p>Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.</p>
<p>Locate control system networks and remote devices behind firewalls and isolating them from business networks.</p>
<p>When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.</p>
<p>CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.</p>
<p>CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.</p>
<p>CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.</p>
<p>Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.</p>
<p>Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.</p>
<p>CISA also recommends users take the following measures to protect themselves from social engineering attacks:</p>
<p>Do not click web links or open attachments in unsolicited email messages.</p>
<p>Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.</p>
<p>Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.</p>
<p>No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.</p>
<hr>
<h2>Revision History</h2>
<ul>
<li><strong>Initial Release Date: </strong>2026-03-26</li>
</ul>
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">Date</th>
<th role="columnheader">Revision</th>
<th role="columnheader">Summary</th>
</tr>
</thead>
<tbody>
<tr>
<td>2026-03-26</td>
<td>1</td>
<td>Initial Republication of WAGO GmbH &amp; Co. KG VDE-2026-020</td>
</tr>
</tbody>
</table>
<hr>
<h2>Legal Notice and Terms of Use</h2>


View CSAF
Summary
An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device.
The following versions of WAGO GmbH & Co. KG Industrial Managed Switches are affected:
WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1812 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1813 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.3.S0 WAGO_Hardware_852-1813/000-001 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1816 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.8.S0 WAGO_Hardware_852-303 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1305 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1305/000-001 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.0.S0 WAGO_Hardware_852-1505/000-001 (CVE-2026-3587)
WAGO Firmware versions prior to V1.1.9.S0 WAGO_Hardware_852-1505 (CVE-2026-3587)
WAGO Firmware versions prior to V1.0.6.S0 WAGO_Hardware_852-602 (CVE-2026-3587)
WAGO Firmware versions prior to V1.0.6.S0 WAGO_Hardware_852-603 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.5.S0 WAGO_Hardware_852-1605 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1812/010-000 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1813/010-000 (CVE-2026-3587)
WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1816/010-000 (CVE-2026-3587)
WAGO Firmware version V1.0.6.S0 WAGO_Hardware_852-602 (CVE-2026-3587)
WAGO Firmware version V1.0.6.S0 WAGO_Hardware_852-603 (CVE-2026-3587)
WAGO Firmware version V1.1.9.S0 WAGO_Hardware_852-1505 (CVE-2026-3587)
WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1305 (CVE-2026-3587)
WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1305/000-001 (CVE-2026-3587)
WAGO Firmware version V1.2.0.S0 WAGO_Hardware_852-1505/000-001 (CVE-2026-3587)
WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1812 (CVE-2026-3587)
WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813 (CVE-2026-3587)
WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1816 (CVE-2026-3587)
WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1812/010-000 (CVE-2026-3587)
WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813/010-000 (CVE-2026-3587)
WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1816/010-000 (CVE-2026-3587)
WAGO Firmware version V1.2.3.S0 WAGO_Hardware_852-1813/000-001 (CVE-2026-3587)
WAGO Firmware version V1.2.5.S0 WAGO_Hardware_852-1605 (CVE-2026-3587)
WAGO Firmware version V1.2.8.S0 WAGO_Hardware_852-303 (CVE-2026-3587)
WAGO Firmware version V1.2.1.S0 WAGO_Hardware_852-1813/010-001 (CVE-2026-3587)
WAGO Firmware version V1.2.1.S1 WAGO_Hardware_852-1813/010-001 (CVE-2026-3587)
CVSS
Vendor
Equipment
Vulnerabilities




v3 10
WAGO
WAGO GmbH & Co. KG Industrial Managed Switches
Hidden Functionality




Background
Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Germany
Vulnerabilities
Expand All +
CVE-2026-3587
An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device.
View CVE Details
Affected Products
WAGO GmbH & Co. KG Industrial Managed Switches
Vendor:
WAGO
Product Version:
WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1812, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1813, WAGO WAGO Firmware versions prior to V1.2.3.S0: WAGO_Hardware_852-1813/000-001, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1816, WAGO WAGO Firmware versions prior to V1.2.8.S0: WAGO_Hardware_852-303, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1305, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1305/000-001, WAGO WAGO Firmware versions prior to V1.2.0.S0: WAGO_Hardware_852-1505/000-001, WAGO WAGO Firmware versions prior to V1.1.9.S0: WAGO_Hardware_852-1505, WAGO WAGO Firmware versions prior to V1.0.6.S0: WAGO_Hardware_852-602, WAGO WAGO Firmware versions prior to V1.0.6.S0: WAGO_Hardware_852-603, WAGO WAGO Firmware versions prior to V1.2.5.S0: WAGO_Hardware_852-1605, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1812/010-000, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1813/010-000, WAGO WAGO Firmware versions prior to V1.2.1.S0: WAGO_Hardware_852-1816/010-000, WAGO WAGO Firmware version V1.0.6.S0: WAGO_Hardware_852-602, WAGO WAGO Firmware version V1.0.6.S0: WAGO_Hardware_852-603, WAGO WAGO Firmware version V1.1.9.S0: WAGO_Hardware_852-1505, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1305, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1305/000-001, WAGO WAGO Firmware version V1.2.0.S0: WAGO_Hardware_852-1505/000-001, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1812, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1816, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1812/010-000, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813/010-000, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1816/010-000, WAGO WAGO Firmware version V1.2.3.S0: WAGO_Hardware_852-1813/000-001, WAGO WAGO Firmware version V1.2.5.S0: WAGO_Hardware_852-1605, WAGO WAGO Firmware version V1.2.8.S0: WAGO_Hardware_852-303, WAGO WAGO Firmware version V1.2.1.S0: WAGO_Hardware_852-1813/010-001, WAGO WAGO Firmware version V1.2.1.S1: WAGO_Hardware_852-1813/010-001
Product Status:
known_affected
Remediations
Mitigation
WAGO has identified the following specific workarounds and mitigations users can apply to reduce risk: Product Group: WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1813/010-001, WAGO Firmware installed on WAGO Hardware 852-1813/010-001): Please update your devices to the specified fixed Firmware version.
Mitigation
Lean Managed Switch 852-1812, Lean Managed Switch 852-1813, Lean Managed Switch 852-1813/000-001, Lean Managed Switch 852-1816, Lean Managed Switch 852-1812/010-000, Lean Managed Switch 852-1813/010-000, Lean Managed Switch 852-1816/010-000, Lean Managed Switch 852-1813/010-001: To eliminate the attack vector deactivate ssh and telnet on the device.
Mitigation
Industrial Managed Switch 852-303, Industrial Managed Switch 852-1305, Industrial Managed Switch 852-1305/000-001, Industrial Managed Switch 852-1505/000-001, Industrial Managed Switch 852-1505, Industrial Managed Switch 852-602, Industrial Managed Switch 852-603, Industrial Managed Switch 852-1605: To reduce the attack vector deactivate ssh and telnet on the devices. This ensures that the CLI is only accessible locally via RS232.
Mitigation
The following product versions have been fixed: Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.3.S1 installed on Lean Managed Switch 852-1813/000-001 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.8.S1 installed on Industrial Managed Switch 852-303 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305/000-001 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1505/000-001 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.1.9.S1 installed on Industrial Managed Switch 852-1505 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-602 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-603 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.5.S1 installed on Industrial Managed Switch 852-1605 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812/010-000 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-000 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816/010-000 are fixed versions for CVE-2026-3587
Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-001 are fixed versions for CVE-2026-3587
Mitigation
For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json.
https://www.wago.com/de-en/automation-technology/psirt
Mitigation
For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json.
https://certvde.com/en/advisories/VDE-2026-020
Mitigation
For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json.
https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json
Relevant CWE: CWE-912 Hidden Functionality
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H








Acknowledgments
CERT@VDE coordination reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Revision History
Initial Release Date: 2026-03-26
Date
Revision
Summary




2026-03-26
1
Initial Republication of WAGO GmbH & Co. KG VDE-2026-020




Legal Notice and Terms of Use

WAGO GmbH & Co. KG Industrial Managed Switches

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-085-03.json"><strong>View CSAF</strong></a></p>
<h2>Summary</h2>
<p><strong>Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.</strong></p>
<p>The following versions of PTC Windchill Product Lifecycle Management are affected:</p>
<ul>
<li>Windchill PDMLink 11.0_M030 (CVE-2026-4681)</li>
<li>Windchill PDMLink 11.1_M020 (CVE-2026-4681)</li>
<li>Windchill PDMLink 11.2.1.0 (CVE-2026-4681)</li>
<li>Windchill PDMLink 12.0.2.0 (CVE-2026-4681)</li>
<li>Windchill PDMLink 12.1.2.0 (CVE-2026-4681)</li>
<li>Windchill PDMLink 13.0.2.0 (CVE-2026-4681)</li>
<li>Windchill PDMLink 13.1.0.0 (CVE-2026-4681)</li>
<li>Windchill PDMLink 13.1.1.0 (CVE-2026-4681)</li>
<li>Windchill PDMLink 13.1.2.0 (CVE-2026-4681)</li>
<li>Windchill PDMLink 13.1.3.0 (CVE-2026-4681)</li>
<li>FlexPLM 11.0_M030 (CVE-2026-4681)</li>
<li>FlexPLM 11.1_M020 (CVE-2026-4681)</li>
<li>FlexPLM 11.2.1.0 (CVE-2026-4681)</li>
<li>FlexPLM 12.0.0.0 (CVE-2026-4681)</li>
<li>FlexPLM 12.0.2.0 (CVE-2026-4681)</li>
<li>FlexPLM 12.0.3.0 (CVE-2026-4681)</li>
<li>FlexPLM 12.1.2.0 (CVE-2026-4681)</li>
<li>FlexPLM 12.1.3.0 (CVE-2026-4681)</li>
<li>FlexPLM 13.0.2.0 (CVE-2026-4681)</li>
<li>FlexPLM 13.0.3.0 (CVE-2026-4681)</li>
</ul>
<div class="csaf-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS</th>
<th role="columnheader">Vendor</th>
<th role="columnheader">Equipment</th>
<th role="columnheader">Vulnerabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>v3 10</td>
<td>PTC</td>
<td>PTC Windchill Product Lifecycle Management</td>
<td>Improper Control of Generation of Code ('Code Injection')</td>
</tr>
</tbody>
</table>
</div>
<h3>Background</h3>
<ul>
<li><strong>Critical Infrastructure Sectors: </strong>Critical Manufacturing</li>
<li><strong>Countries/Areas Deployed: </strong>Worldwide</li>
<li><strong>Company Headquarters Location: </strong>United States</li>
</ul>
<hr>
<h2>Vulnerabilities</h2>
<div class="csaf-accordion">
<p><a class="csaf-accordion-toggle-all" href="#">Expand All +</a></p>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2026-4681</a></h3>
<div class="csaf-accordion-content">
<p>A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2026-4681">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>PTC Windchill Product Lifecycle Management</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>PTC</div>
<div class="ics-version"><strong>Product Version:</strong><br>PTC Windchill PDMLink: 11.0_M030, PTC Windchill PDMLink: 11.1_M020, PTC Windchill PDMLink: 11.2.1.0, PTC Windchill PDMLink: 12.0.2.0, PTC Windchill PDMLink: 12.1.2.0, PTC Windchill PDMLink: 13.0.2.0, PTC Windchill PDMLink: 13.1.0.0, PTC Windchill PDMLink: 13.1.1.0, PTC Windchill PDMLink: 13.1.2.0, PTC Windchill PDMLink: 13.1.3.0, PTC FlexPLM: 11.0_M030, PTC FlexPLM: 11.1_M020, PTC FlexPLM: 11.2.1.0, PTC FlexPLM: 12.0.0.0, PTC FlexPLM: 12.0.2.0, PTC FlexPLM: 12.0.3.0, PTC FlexPLM: 12.1.2.0, PTC FlexPLM: 12.1.3.0, PTC FlexPLM: 13.0.2.0, PTC FlexPLM: 13.0.3.0</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Mitigation</strong><br>PTC is aware of the issue and is actively developing a fix. In the meantime, PTC recommends applying the recommended workaround. Until official patches are available, customers must take urgent steps to safeguard their environments. Specifically: Protect any publicly accessible Windchill systems</p>
<p><strong>Vendor fix</strong><br>While publicly accessible Windchill and FlexPLM systems are at higher risk and require immediate attention, PTC strongly recommends applying the mitigation steps to all deployments, regardless of Internet exposure</p>
<p><strong>Vendor fix</strong><br>Apply the same precautions to FlexPLM deployments</p>
<p><strong>Vendor fix</strong><br>The following Apache and IIS HTTP Server configuration update should be IMMEDIATELY applied to every Windchill or FlexPLM system: Customers using Apache HTTP Server should only follow "Apache HTTP Server Configuration – Workaround Steps" section steps</p>
<p><strong>Mitigation</strong><br>Customers using Microsoft IIS should only follow "IIS Configuration - Workaround Steps" section steps</p>
<p><strong>Mitigation</strong><br>Please explicitly note that the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable</p>
<p><strong>Mitigation</strong><br>For Windchill releases prior to 11.0 M030, workarounds may need to be altered to apply to unsupported previous releases</p>
<p><strong>Mitigation</strong><br>For Apache HTTP Server and IIS configuration workaround steps, please refer to the official advisory at:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability.<br><a href="https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability">https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability</a></p>
<p><strong>Mitigation</strong><br>If immediate remediation is not feasible, additional guidance and remediation options are available:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability.<br><a href="https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability">https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability</a></p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/94.html">CWE-94 Improper Control of Generation of Code ('Code Injection')</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>10</td>
<td>CRITICAL</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<hr>
<h2>Acknowledgments</h2>
<ul>
<li>An anonymous source reported this vulnerability to CISA</li>
</ul>
<hr>
<h2>Legal Notice and Terms of Use</h2>
<p>This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy &amp; Use policy (https://www.cisa.gov/privacy-policy).</p>
<hr>
<h2>Recommended Practices</h2>
<p>CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.</p>
<p>Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.</p>
<p>Locate control system networks and remote devices behind firewalls and isolating them from business networks.</p>
<p>When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.</p>
<p>CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.</p>
<p>CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.</p>
<p>CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.</p>
<p>Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.</p>
<p>Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.</p>
<p>CISA also recommends users take the following measures to protect themselves from social engineering attacks:</p>
<p>Do not click web links or open attachments in unsolicited email messages.</p>
<p>Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.</p>
<p>Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.</p>
<p>No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.</p>
<hr>
<h2>Revision History</h2>
<ul>
<li><strong>Initial Release Date: </strong>2026-03-26</li>
</ul>
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">Date</th>
<th role="columnheader">Revision</th>
<th role="columnheader">Summary</th>
</tr>
</thead>
<tbody>
<tr>
<td>2026-03-26</td>
<td>1</td>
<td>Initial Republication of PTC's CS466318</td>
</tr>
</tbody>
</table>
<hr>
<h2>Legal Notice and Terms of Use</h2>


View CSAF
Summary
Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.
The following versions of PTC Windchill Product Lifecycle Management are affected:
Windchill PDMLink 11.0_M030 (CVE-2026-4681)
Windchill PDMLink 11.1_M020 (CVE-2026-4681)
Windchill PDMLink 11.2.1.0 (CVE-2026-4681)
Windchill PDMLink 12.0.2.0 (CVE-2026-4681)
Windchill PDMLink 12.1.2.0 (CVE-2026-4681)
Windchill PDMLink 13.0.2.0 (CVE-2026-4681)
Windchill PDMLink 13.1.0.0 (CVE-2026-4681)
Windchill PDMLink 13.1.1.0 (CVE-2026-4681)
Windchill PDMLink 13.1.2.0 (CVE-2026-4681)
Windchill PDMLink 13.1.3.0 (CVE-2026-4681)
FlexPLM 11.0_M030 (CVE-2026-4681)
FlexPLM 11.1_M020 (CVE-2026-4681)
FlexPLM 11.2.1.0 (CVE-2026-4681)
FlexPLM 12.0.0.0 (CVE-2026-4681)
FlexPLM 12.0.2.0 (CVE-2026-4681)
FlexPLM 12.0.3.0 (CVE-2026-4681)
FlexPLM 12.1.2.0 (CVE-2026-4681)
FlexPLM 12.1.3.0 (CVE-2026-4681)
FlexPLM 13.0.2.0 (CVE-2026-4681)
FlexPLM 13.0.3.0 (CVE-2026-4681)
CVSS
Vendor
Equipment
Vulnerabilities




v3 10
PTC
PTC Windchill Product Lifecycle Management
Improper Control of Generation of Code ('Code Injection')




Background
Critical Infrastructure Sectors: Critical Manufacturing
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United States
Vulnerabilities
Expand All +
CVE-2026-4681
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.
View CVE Details
Affected Products
PTC Windchill Product Lifecycle Management
Vendor:
PTC
Product Version:
PTC Windchill PDMLink: 11.0_M030, PTC Windchill PDMLink: 11.1_M020, PTC Windchill PDMLink: 11.2.1.0, PTC Windchill PDMLink: 12.0.2.0, PTC Windchill PDMLink: 12.1.2.0, PTC Windchill PDMLink: 13.0.2.0, PTC Windchill PDMLink: 13.1.0.0, PTC Windchill PDMLink: 13.1.1.0, PTC Windchill PDMLink: 13.1.2.0, PTC Windchill PDMLink: 13.1.3.0, PTC FlexPLM: 11.0_M030, PTC FlexPLM: 11.1_M020, PTC FlexPLM: 11.2.1.0, PTC FlexPLM: 12.0.0.0, PTC FlexPLM: 12.0.2.0, PTC FlexPLM: 12.0.3.0, PTC FlexPLM: 12.1.2.0, PTC FlexPLM: 12.1.3.0, PTC FlexPLM: 13.0.2.0, PTC FlexPLM: 13.0.3.0
Product Status:
known_affected
Remediations
Mitigation
PTC is aware of the issue and is actively developing a fix. In the meantime, PTC recommends applying the recommended workaround. Until official patches are available, customers must take urgent steps to safeguard their environments. Specifically: Protect any publicly accessible Windchill systems
Vendor fix
While publicly accessible Windchill and FlexPLM systems are at higher risk and require immediate attention, PTC strongly recommends applying the mitigation steps to all deployments, regardless of Internet exposure
Vendor fix
Apply the same precautions to FlexPLM deployments
Vendor fix
The following Apache and IIS HTTP Server configuration update should be IMMEDIATELY applied to every Windchill or FlexPLM system: Customers using Apache HTTP Server should only follow "Apache HTTP Server Configuration – Workaround Steps" section steps
Mitigation
Customers using Microsoft IIS should only follow "IIS Configuration - Workaround Steps" section steps
Mitigation
Please explicitly note that the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable
Mitigation
For Windchill releases prior to 11.0 M030, workarounds may need to be altered to apply to unsupported previous releases
Mitigation
For Apache HTTP Server and IIS configuration workaround steps, please refer to the official advisory at:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability.
https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability
Mitigation
If immediate remediation is not feasible, additional guidance and remediation options are available:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability.
https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability
Relevant CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H








Acknowledgments
An anonymous source reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Revision History
Initial Release Date: 2026-03-26
Date
Revision
Summary




2026-03-26
1
Initial Republication of PTC's CS466318




Legal Notice and Terms of Use

PTC Windchill Product Lifecycle Management

Unmasking impostors is something the art world has faced for decades, and there are valuable lessons from the works of Elmyr de Hory that can apply to the world of defensive cybersecurity. During the 1960s, de Hory gained infamy as a premier forger, passing off counterfeit masterworks of Picasso, Matisse, and Renoir to unsuspecting collectors and renowned museums. Over the next several decades,

Masters of Imitation: How Hackers and Art Forgers Perfect the Art of Deception

Some weeks in security feel loud. This one feels sneaky. Less big dramatic fireworks, more of that slow creeping sense that too many people are getting way too comfortable abusing things they probably shouldn&rsquo;t even be touching.
There&rsquo;s a little bit of everything in this one, too. Weird delivery tricks, old problems coming back in slightly worse forms, shady infrastructure doing

Some weeks in security feel loud. This one feels sneaky. Less big dramatic fireworks, more of that slow creeping sense that too many people are getting way too comfortable abusing things they probably shouldn’t even be touching.
There’s a little bit of everything in this one, too. Weird delivery tricks, old problems coming back in slightly worse forms, shady infrastructure doing

ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits & 20 More Stories

The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
"When Coruna was first reported, the public evidence wasn't sufficient to link its code to Triangulation — shared

Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks

Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls.
"Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week.
The attack,

WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites

While US government sits out this year, EU officials are on the ground in San Francisco leading the conversations on today's top cybersecurity challenges.

At RSAC, the EU Leads While US Officials Are Sidelined

The alleged administrator of the LeakBase cybercrime forum has been arrested by Russian law enforcement authorities, state media reported Thursday.
According to TASS and MVD Media, a news website linked to the Russian Interior Ministry, the suspect is a resident of the city of Taganrog. The suspect is said to have been detained for creating and managing a criminal site that allowed stolen

LeakBase Admin Arrested in Russia Over Massive Stolen Credential Marketplace

Publicly accusing an entity of a cyberattack could have negative consequences that organizations should consider before taking the plunge.

Blame Game: Why Public Cyber Attribution Carries Risks

A series of campaigns that began in August aim to defraud job candidates, using psychological tactics and data scraped from LinkedIn profiles.

Phishers Pose as Palo Alto Networks' Recruiters for Months in Job Scam

Ten finalists had three minutes to make their case for being the most innovative, promising young security company of the year. Geordie AI wins the 2026 contest.

AI Dominates RSAC Innovation Sandbox

For the first time, SANS Institute's five top attack techniques all have one thing in common — AI.

SANS: Top 5 Most Dangerous New Attack Techniques to Watch

Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that delivers a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs.
"It logs keystrokes, dumps cookies and session tokens, captures screenshots, and

GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data

Organizations disclose attack details, though information may be limited. What if they did the same with close calls?

Why a 'Near-Miss' Database Is Key to Improving Information Sharing

Attacks by artificial intelligence agents are a reality. Experts at Nvidia's GTC conference say defenders need to use the same tools to fight them off.

AI-Native Security Is a Must to Counter AI-Based Attacks

UK organisations encouraged to take immediate action to mitigate two recently disclosed vulnerabilities affecting Citrix NetScaler ADC and Citrix NetScaler Gateway.

Vulnerabilities affecting Citrix NetScaler ADC and Citrix NetScaler Gateway

<p>CISA has added one new vulnerability to its <a href="/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.</p>
<ul>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2026-33017" target="_blank">CVE-2026-33017</a> Langflow Code Injection Vulnerability</li>
</ul>
<p>This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.</p>
<p><a href="https://www.cisa.gov/binding-operational-directive-22-01">Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities</a> established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the <a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf">BOD 22-01 Fact Sheet</a> for more information.</p>
<p>Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of <a href="/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">KEV Catalog vulnerabilities</a> as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the <a href="/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities">specified criteria</a>.&nbsp;</p>


CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-33017 Langflow Code Injection Vulnerability
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

In September 2025, Anthropic disclosed that a state-sponsored threat actor used an AI coding agent to execute an autonomous cyber espionage campaign against 30 global targets. The AI handled 80-90% of tactical operations on its own, performing reconnaissance, writing exploit code, and attempting lateral movement at machine speed.
This incident is worrying, but there's a scenario that should

The Kill Chain Is Obsolete When Your AI Agent Is the Threat

Four former NSA chiefs representing a near-complete history of US Cyber Command debate the role of offensive cyber in the government at RSAC.

Ex-NSA Directors Discuss 'Red Line' for Offensive Cyberattacks

The U.S. Department of Justice (DoJ) said a Russian national has been sentenced to two years in prison for managing a botnet that was used to launch ransomware attacks against U.S. companies.
Ilya Angelov, 40, of Tolyatti, Russia, was also fined $100,000. Angelov, who went by the online aliases "milan" and "okart," is said to have co-managed a Russia-based cybercriminal group known as TA551 (aka

Russian Hacker Sentenced to 2 Years for TA551 Botnet-Driven Ransomware Attacks

Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.
The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages

Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse

The U.S. Federal Communications Commission (FCC) said on Monday that it was banning the import of new, foreign-made consumer routers, citing "unacceptable" risks to cyber and national security.
The action was designed to safeguard Americans and the underlying communications networks the country relies on, FCC Chairman Brendan Carr said in a post on X. The development means that new models of

FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns

Iran-aligned groups are trying to make their mark in the Gulf, but the results have fallen short of remarkable.

Iran Hacktivists Make Noise but Have Little Impact on War

The Cloud Security Alliance creates a dedicated nonprofit to govern autonomous AI agent ecosystems through risk intelligence and certification.

CSA Launches CSAI Foundation for AI Security

TeamPCP is the likely cyber threat actor behind attacks on Trivy, Checkmarx's KICS and VS Code plug-ins, and the LiteLLM AI library — and all signs point to more attacks to come.

Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit

Security vendors have spent years building up defenses around the endpoint, but one researcher says AI coding tools have brought the walls down.

How AI Coding Tools Crushed the Endpoint Security Fortress

TeamPCP, the threat actor behind the recent compromises of Trivy and KICS, has now compromised a popular Python package named litellm, pushing two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor.
Multiple security vendors, including Endor Labs and JFrog, revealed that litellm versions 1.82.7 and 1.82.8 were published on March

TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise

A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique.
"The campaign abuses Google Ads to serve rogue ScreenConnect (

Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR

On February 25, 2026, Gartner published its inaugural Market Guide for Guardian Agents, marking an important milestone for this emerging category. For those unfamiliar with the various Gartner report types, “a Market Guide defines a market and explains what clients can expect it to do in the short term. With the focus on early, more chaotic markets, a Market Guide does not rate or position

5 Learnings from the First-Ever Gartner Market Guide for Guardian Agents

An ongoing phishing campaign is targeting French-speaking corporate environments with fake resumes that lead to the deployment of cryptocurrency miners and information stealers.
"The campaign uses highly obfuscated VBScript files disguised as resume/CV documents, delivered through phishing emails," Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said in a report shared

Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner

An AI-assisted campaign is spreading more than 300 poisoned packages for diverse assets ranging from developer tools to game cheats.

GitHub 'OpenClaw Deployer' Repo Delivers Trojan Instead

JPMorganChase uses digital fingerprints and digital twins to spot online attackers and malicious behaviors while also reducing pesky false alerts.

How a Large Bank Uses AI Digital Twins for Threat Hunting

Companies need better controls to manage key threats rising from the growth of agentic AI. These new features provide a starting point.

Microsoft Proposes Better Identity, Guardrails for AI Agents

Cybersecurity has changed fast. Roles are more&nbsp;specialized, and tooling is more advanced. On paper, this should make organizations more secure. But in practice, many teams struggle with the same basic problems they faced years ago: unclear risk priorities, misaligned tooling decisions, and difficulty explaining security issues in terms the business understands. 
These challenges do not

Cybersecurity has changed fast. Roles are more specialized, and tooling is more advanced. On paper, this should make organizations more secure. But in practice, many teams struggle with the same basic problems they faced years ago: unclear risk priorities, misaligned tooling decisions, and difficulty explaining security issues in terms the business understands. 
These challenges do not

The Hidden Cost of Cybersecurity Specialization: Losing Foundational Skills

Dr Richard Horne delivered a keynote about cyber risks and opportunities at the RSAC Conference in San Francisco

NCSC CEO: Seize 'disruptive' vibe coding opportunity to make software more secure

If ‘vibe coding’ disrupts the software market like SaaS did 20 years ago, what does this mean for cyber security?

Vibe check: AI may replace SaaS (but not for a while)

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-083-01.json"><strong>View CSAF</strong></a></p>
<h2>Summary</h2>
<p><strong>Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary commands with root privileges.</strong></p>
<p>The following versions of Pharos Controls Mosaic Show Controller are affected:</p>
<ul>
<li>Mosaic Show Controller Firmware 2.15.3 (CVE-2026-2417)</li>
</ul>
<div class="csaf-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS</th>
<th role="columnheader">Vendor</th>
<th role="columnheader">Equipment</th>
<th role="columnheader">Vulnerabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>v3 9.8</td>
<td>Pharos Controls</td>
<td>Pharos Controls Mosaic Show Controller</td>
<td>Missing Authentication for Critical Function</td>
</tr>
</tbody>
</table>
</div>
<h3>Background</h3>
<ul>
<li><strong>Critical Infrastructure Sectors: </strong>Commercial Facilities</li>
<li><strong>Countries/Areas Deployed: </strong>Worldwide</li>
<li><strong>Company Headquarters Location: </strong>United Kingdom</li>
</ul>
<hr>
<h2>Vulnerabilities</h2>
<div class="csaf-accordion">
<p><a class="csaf-accordion-toggle-all" href="#">Expand All +</a></p>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2026-2417</a></h3>
<div class="csaf-accordion-content">
<p>A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2026-2417">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>Pharos Controls Mosaic Show Controller</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>Pharos Controls</div>
<div class="ics-version"><strong>Product Version:</strong><br>Pharos Controls Mosaic Show Controller Firmware: 2.15.3</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Mitigation</strong><br>Pharos Controls recommends that users upgrade Mosaic Show Controller to version 2.16 or later.</p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/306.html">CWE-306 Missing Authentication for Critical Function</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>9.8</td>
<td>CRITICAL</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<hr>
<h2>Acknowledgments</h2>
<ul>
<li>James Tully reported this vulnerability to CISA</li>
</ul>
<hr>
<h2>Legal Notice and Terms of Use</h2>
<p>This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy &amp; Use policy (https://www.cisa.gov/privacy-policy).</p>
<hr>
<h2>Recommended Practices</h2>
<p>CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.</p>
<p>Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.</p>
<p>Locate control system networks and remote devices behind firewalls and isolating them from business networks.</p>
<p>When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.</p>
<p>CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.</p>
<p>CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.</p>
<p>CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.</p>
<p>Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.</p>
<p>Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.</p>
<p>CISA also recommends users take the following measures to protect themselves from social engineering attacks:</p>
<p>Do not click web links or open attachments in unsolicited email messages.</p>
<p>Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.</p>
<p>Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.</p>
<p>No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.</p>
<hr>
<h2>Revision History</h2>
<ul>
<li><strong>Initial Release Date: </strong>2026-03-24</li>
</ul>
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">Date</th>
<th role="columnheader">Revision</th>
<th role="columnheader">Summary</th>
</tr>
</thead>
<tbody>
<tr>
<td>2026-03-24</td>
<td>1</td>
<td>Initial Publication</td>
</tr>
</tbody>
</table>
<hr>
<h2>Legal Notice and Terms of Use</h2>


View CSAF
Summary
Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary commands with root privileges.
The following versions of Pharos Controls Mosaic Show Controller are affected:
Mosaic Show Controller Firmware 2.15.3 (CVE-2026-2417)
CVSS
Vendor
Equipment
Vulnerabilities




v3 9.8
Pharos Controls
Pharos Controls Mosaic Show Controller
Missing Authentication for Critical Function




Background
Critical Infrastructure Sectors: Commercial Facilities
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United Kingdom
Vulnerabilities
Expand All +
CVE-2026-2417
A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.
View CVE Details
Affected Products
Pharos Controls Mosaic Show Controller
Vendor:
Pharos Controls
Product Version:
Pharos Controls Mosaic Show Controller Firmware: 2.15.3
Product Status:
known_affected
Remediations
Mitigation
Pharos Controls recommends that users upgrade Mosaic Show Controller to version 2.16 or later.
Relevant CWE: CWE-306 Missing Authentication for Critical Function
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H








Acknowledgments
James Tully reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Revision History
Initial Release Date: 2026-03-24
Date
Revision
Summary




2026-03-24
1
Initial Publication




Legal Notice and Terms of Use

Blog