Security & IT News

Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. "

The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026. The vulnerability is a critical authentication bypass tracked as CVE-2026-20182. It's

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0265 , a signature verification vulnerability that facilitates authentication bypass on PAN-OS , the operating system that most Palo Alto Networks firewalls run. This vulnerability allows a remote unauthenticated attacker with network access to bypass authentication when Cloud Authentication Service (CAS) is enabled and attached to a login interface; the vulnerable configuration is non-default but common. CVE-2026-0265 affects PAN-OS on PA-Series and VM-Series firewalls, as well as Panorama (virtual and M-Series) appliances. Cloud NGFW and Prisma Access are not affected. Palo Alto Networks assigned CVE-2026-0265 a “High” 7.2 CVSS score. The advisory states that the vulnerability’s severity scoring depends on interface exposure; according to the vendor, risk is highest for unrestricted management interfaces equipped with CAS, while other login portals, such as GlobalProtect gateways, are lower risk. However, the researcher who reported the vulnerability, Harsh Jaiswal of HacktronAI , publicly disputed the vendor’s severity rating . Jaiswal stated on social media that the vulnerability advisory misrepresents the criticality of the bug and the affected components; according to the HacktronAI research team, they successfully exploited CVE-2026-0265 to bypass authentication controls on multiple corporations’ GlobalProtect portals and establish VPN access. Jaiswal stated that internet-facing components are affected , and HacktronAI plans to disclose full technical details the week of May 18. As of May 14, Palo Alto Networks has not confirmed exploitation in-the-wild of CVE-2026-0265, and there is no public proof-of-concept exploit available. However, given the researcher's statements about the practical exploitability of this vulnerability and the pending disclosure of technical details, this will likely evolve. PAN-OS software has been a frequent target for threat actors; on May 6, 2026, the PAN-OS vulnerability CVE-2026-0300 was added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Patches for many affected version streams were published on May 13, and the remaining patches are expected on May 28, 2026. Mitigation guidance Organizations running PA-Series or VM-Series firewalls, or Panorama (virtual and M-Series) appliances, with Cloud Authentication Service (CAS) enabled should upgrade to a fixed version on an emergency basis. Patches are partially available, with many version stream fixes published on May 13 and additional version stream coverage expected on May 28. The following table outlines the affected and fixed versions: PAN-OS version Affected Fixed 12.1 12.1.4-h5 12.1.7 = 12.1.4-h5 = 12.1.7 (ETA: 05/28) 11.2 11.2.4-h17 11.2.7-h13 11.2.10-h6 11.2.12 = 11.2.4-h17 (ETA: 05/28) = 11.2.7-h13 = 11.2.10-h6 = 11.2.12 (ETA: 05/28) 11.1 11.1.4-h33 11.1.6-h32 11.1.7-h6 11.1.10-h25 11.1.13-h5 11.1.15 = 11.1.4-h33 = 11.1.6-h32 = 11.1.7-h6 (ETA: 05/28) = 11.1.

Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE-2026-20182, carries a CVSS score of 10.0. "A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly

Everything is still on fire. This week feels dumb in the worst way — bad links, weak checks, fake help desks, shady forum posts, and people turning supply chain attacks into some cursed little game for clout and cash. Half of it feels new. Half of it feels like crap we should have fixed years ago. The mess keeps getting louder: users get tricked, boxes get popped, tools meant for normal work

Imagine you build a massive corporate campus with every security control money can buy. Blast resistant doors. Biometric scanners. Guards at every entrance. Maybe something similar to the infamous Death Star. On paper, it looks fantastic. Then, somewhere along the way, somebody decides the maintenance team needs a universal key that opens every door in the building without setting off any alarms. That certainly makes operations easier, but it also means one mistake, one compromise (like a well placed photon torpedo), or one very bad decision can unravel the whole thing. That is basically the problem we keep running into in modern enterprise networking. Why SD-WAN controllers create concentrated risk This week, Rapid7 researchers Stephen Fewer and Jonah Burgess disclosed CVE-2026-20182 , a maximum severity (CVSS 10.0) vulnerability in the Cisco Catalyst SD-WAN Controller. The technical details matter, and quite a bit, at that, but the bigger lesson here is even more important. This bug is a reminder that we keep designing infrastructure for efficiency first and then acting surprised when attackers go after the one component that controls everything. To put it simply, the flaw behaves like a master key. An attacker can present themselves to the controller as a trusted network router and, if the system accepts that claim without properly validating it, they can obtain the highest level of administrative access. That is the cybersecurity version of a Jedi mind trick. The controller is effectively told to trust something it has no business trusting, as if an attacker waves a hand and says, “ these are not the droids you are looking for ”. And with CVE-2026-20182, the controller just nods and lets them pass. And that becomes extremely important when you look at how these environments are built. A decade ago, managing a global enterprise network meant touching thousands of individual routers across branch locations. It was slow, error-prone, and frankly a little miserable for the people responsible for keeping it all running. So the industry did what the industry usually does. We centralized control. We pulled the decision-making out of all those edge devices and moved it into a central controller. From an operations standpoint, that was a huge win. I will gladly give credit where it is due. SD-WAN solved real problems. It also created a very attractive target. Why central management platforms are attractive targets Once you move the brains of the operation into a single place, that place becomes the thing an attacker wants most. Compromising one branch router is useful. Compromising the controller that manages the entire estate is a very different conversation. Now you are talking about the ability to reroute traffic, intercept communications, push malicious configuration, or simply break connectivity across the whole organization. That is the real paradox here. The same architecture that gives defenders scale and simplicity can also give attackers a s

An 18-year-old flaw in the NGINX open-source web server, discovered using an autonomous scanning system, can be exploited for denial of service and, under certain conditions, remote code execution. [...]

Cargo theft now starts with phishing emails and stolen credentials, not hijackings, to reroute and steal freight from supply chains. NMFTA outlines how cyber-enabled cargo crime is changing transportation security. [...]

In this article Background What is an exploitable misconfiguration? Exploitable misconfigurations in popular AI applications Minimizing the risk: Practical deployment guidance How Microsoft Defender for Cloud helps detect exposures in Kubernetes Learn more AI and agentic application deployments on cloud-native platforms are increasing, and they often prioritize speed over secure configuration. Our observations from aggregated and anonymized Microsoft Defender for Cloud signals showed cases where AI services were publicly exposed with weak or missing authentication, creating exploitable misconfigurations that attackers actively abused. These issues enabled low-effort, high-impact outcomes such as remote code execution, credential theft, and access to sensitive internal tools and data. Exploitable misconfigurations bypass traditional vulnerability models, allowing threat actors to leverage them without using sophisticated techniques or zero-days. Organizations should therefore surface these misconfigurations early to reduce their attack surface and protect their critical AI workloads. Defender for Cloud can help customers identify and prioritize risks associated with such misconfigurations by detecting exposed Kubernetes services and unsafe deployment patterns. In this blog, we look at examples of exploitable misconfigurations we’ve observed in some of the popular AI applications and platforms. We also provide practical guidance on how to deploy AI agents securely. Background AI and agentic applications are being rolled out at scale, moving rapidly from experimentation to broadly deployed systems. These applications are no longer isolated components; rather, they sit at the center of workflows, automation, and decision-making across organizations. Based on our observation of the aggregated and anonymized signals coming from Microsoft Defender for Cloud, many of the AI deployments in real-world environments run on cloud-native infrastructure, with Kubernetes emerging as the preferred operating layer for AI workloads. This finding aligns with Cloud Native Computing Foundation’s research , which shows that organizations rely heavily on Kubernetes clusters to run their AI workloads. As AI applications become connected to more internal systems and data sources, the impact of mistakes increases: a single misconfiguration could not only expose an application endpoint, it could also allow access to sensitive data, infrastructure, or operational capabilities behind it. In practice, many of the most dangerous risks in AI environments don’t come from novel attack techniques or zero-day vulnerabilities. Instead, they stem from exploitable misconfigurations—user’s configuration choices that make powerful capabilities externally reachable when insufficiently protected, creating clear paths to abuse. What is an exploitable misconfiguration? We use the term exploitable misconfiguration to describe a configuration issue where public exposure (for example, an intern

The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057

New Fragnesia kernel flaw lets unprivileged local users escalate to root on Linux systems

Bitdefender Labs reveals how the China-linked FamousSparrow hacking group targeted an Azerbaijani energy firm using ProxyNotShell, Deed RAT,…

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-134-08.json strong View CSAF /strong /a /p h2 Summary /h2 p strong ROS# contains a ROS service file_server, that before version 2.2.2 contains a path traversal vulnerability which could allow an attacker to access, i.e. read and write, arbitrary files, which are accessible with the user rights of the user that runs the service, on the system that hosts service. Siemens has released a new version for ROS# and recommends to update to the latest version. /strong /p p The following versions of Siemens Siemens ROS# are affected: /p ul li ROS# vers:intdot/ lt;2.2.2 /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.1 /td td Siemens /td td Siemens Siemens ROS# /td td Relative Path Traversal /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Germany /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-41551 /a /h3 div class= csaf-accordion-content p Affected versions contain a path traversal vulnerability because user input is not properly sanitized. This could allow a remote attacker to access arbitrary files on the device. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-41551 View CVE Details /a /p hr h4 Affected Products /h4 h5 Siemens Siemens ROS# /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Siemens /div div class= ics-version strong Product Version: /strong br ROS# /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br For versions before 2.2.2: - run file_server on a trusted network only. - run file_server with appropriate user rights. - run file_server only for tasks it was designed for, transferring URDF files from ROS host to target system, not as a service that runs continuously in the background. - run file_server only if manually transferring files is not possible. /p p strong Vendor fix /strong br Update to V2.2.2 or later version br a href= https://github.com/siemens/ros-sharp/releases/tag/2.2.2 https://github.com/siemens/ros-sharp/releases/tag/2.2.2 /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/23.html CWE-23 Relative Path Traversal /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= st

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-134-17.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code. /strong /p p The following versions of Universal Robots Polyscope 5 are affected: /p ul li Polyscope 5 lt;5.25.1 nbsp; /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td Universal Robots /td td Universal Robots Polyscope 5 /td td Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Denmark /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-8153 /a /h3 div class= csaf-accordion-content p OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-8153 View CVE Details /a /p hr h4 Affected Products /h4 h5 Universal Robots Polyscope 5 /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Universal Robots /div div class= ics-version strong Product Version: /strong br Universal Robots Polyscope 5: lt;5.25.1 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Vendor fix /strong br Universal Robots has released Polyscope 5 version 5.25.1.For more information, see Universal Robots article: https://www.universal-robots.com/articles/ur/cybersecurity/cve-2026-8153-command-injection-in-the-polyscope-5-dashboard-server/. br a href= https://www.universal-robots.com/articles/ur/cybersecurity/cve-2026-8153-command-injection-in-the-polyscope-5-dashboard-server/ https://www.universal-robots.com/articles/ur/cybersecurity/cve-2026-8153-command-injection-in-the-polyscope-5-dashboard-server/ /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/78.html CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tab

p CISA has added nbsp;one nbsp;new vulnerability nbsp;to its nbsp; a href= https://www.cisa.gov/known-exploited-vulnerabilities-catalog Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. nbsp; /p ul type= disc li a href= https://www.cve.org/CVERecord?id=CVE-2026-20182 target= _blank CVE-2026-20182 /a nbsp;Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability nbsp; /li /ul p This nbsp;type of vulnerability is a nbsp;frequent attack vector for malicious cyber actors and poses nbsp;significant risks to the federal enterprise. /p p Note: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in nbsp; a href= https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems Emergency Directive 26-03: nbsp;Mitigate Vulnerabilities in Cisco SD-WAN Systems /a nbsp;and nbsp; a href= https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems /a . Adhere to the applicable nbsp; a href= https://www.cisa.gov/binding-operational-directive-22-01 Binding Operational Directive (BOD) 22-01 /a nbsp;guidance for cloud services or nbsp;discontinue nbsp;use of the product if mitigations are not available. /p p a href= https://www.cisa.gov/binding-operational-directive-22-01 Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a nbsp;established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the nbsp; a href= https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf BOD 22-01 Fact Sheet /a nbsp;for more information. nbsp; /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing nbsp;timely nbsp;remediation of nbsp; a href= https://www.cisa.gov/known-exploited-vulnerabilities-catalog KEV Catalog vulnerabilities /a nbsp;as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the nbsp; a href= https://www.cisa.gov/known-exploited-vulnerabilities specified criteria /a . nbsp; /p

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-134-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Siemens gPROMS Web Applications Publisher (gWAP) is affected by a remote code execution vulnerability introduced through a third-party component, namely the Axios HTTP client library. The vulnerability stems from a specific "Gadget" attack chain that allows prototype pollution in other third-party libraries, potentially allowing an attacker to execute arbitrary code. Siemens has released a new version for gWAP and recommends to update to the latest version. /strong /p p The following versions of Siemens gWAP are affected: /p ul li gWAP vers:intdot/ lt;3.1.1 nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8 /td td Siemens /td td Siemens gWAP /td td Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Germany /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-40175 /a /h3 div class="csaf-accordion-content" p Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-40175" View CVE Details /a /p hr h4 Affected Products /h4 h5 Siemens gWAP /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Siemens /div div class="ics-version" strong Product Version: /strong br gWAP /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br Update to V3.1.1 or later version br a href="https://support.sw.siemens.com/product/284395347/" https://support.sw.siemens.com/product/284395347/ /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/113.html" CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-m

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-134-10.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong SIMATIC CN 4100 contains multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version. /strong /p p The following versions of Siemens SIMATIC are affected: /p ul li SIMATIC CN 4100 vers:intdot/ lt;5.0 nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.6 /td td Siemens /td td Siemens SIMATIC /td td NULL Pointer Dereference, Reachable Assertion, Use After Free, Out-of-bounds Write, Integer Overflow or Wraparound, Allocation of Resources Without Limits or Throttling, Out-of-bounds Read, Covert Timing Channel, Stack-based Buffer Overflow, Inefficient Algorithmic Complexity, Missing Release of Memory after Effective Lifetime, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Improper Locking, Uncontrolled Recursion, Buffer Access with Incorrect Length Value, Race Condition within a Thread, Missing Synchronization, Use of Uninitialized Resource, Double Free, Missing Release of Resource after Effective Lifetime, Loop with Unreachable Exit Condition ('Infinite Loop'), Improper Update of Reference Count, Improper Control of a Resource Through its Lifetime, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), Unexpected Status Code or Return Value, Divide By Zero, Improper Validation of Specified Index, Position, or Offset in Input, Comparison Using Wrong Factors, Observable Timing Discrepancy, Improper Validation of Syntactic Correctness of Input, Deadlock, Signal Handler Race Condition, Improper Following of Specification by Caller, Improper Check for Dropped Privileges, Transmission of Private Resources into a New Sphere ('Resource Leak'), Improper Resource Shutdown or Release, Improper Access Control, Exposure of Sensitive Information to an Unauthorized Actor, Relative Path Traversal, Improper Neutralization of Escape, Meta, or Control Sequences, Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade'), Uncontrolled Resource Consumption, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Missing Authentication for Critical Function, Improper Check for Unusual or Exceptional Conditions /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Ger

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-134-15.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong SIMATIC S7 PLCs contain multiple vulnerabilities in the web server that could allow an attacker to perform cross-site scripting attacks. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. /strong /p p The following versions of Siemens SIMATIC S7 PLC Web Server are affected: /p ul li SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0) vers:intdot/ lt;3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0) vers:intdot/ lt;3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0) vers:intdot/ lt;2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0) vers:intdot/ lt;2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0) vers:intdot/ lt;2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0) vers:intdot/ lt;2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) /li li SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) vers:all/* (CVE-2

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-134-12.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions. /strong /p p The following versions of Siemens Ruggedcom Rox are affected: /p ul li RUGGEDCOM ROX MX5000 vers:intdot/ lt;2.17.1 nbsp; /li li RUGGEDCOM ROX MX5000RE vers:intdot/ lt;2.17.1 nbsp; /li li RUGGEDCOM ROX RX1400 vers:intdot/ lt;2.17.1 nbsp; /li li RUGGEDCOM ROX RX1500 vers:intdot/ lt;2.17.1 /li li RUGGEDCOM ROX RX1501 vers:intdot/ lt;2.17.1 nbsp; /li li RUGGEDCOM ROX RX1510 vers:intdot/ lt;2.17.1 nbsp; /li li RUGGEDCOM ROX RX1511 vers:intdot/ lt;2.17.1 nbsp; /li li RUGGEDCOM ROX RX1512 vers:intdot/ lt;2.17.1 nbsp; /li li RUGGEDCOM ROX RX1524 vers:intdot/ lt;2.17.1 nbsp; /li li RUGGEDCOM ROX RX1536 vers:intdot/ lt;2.17.1 nbsp; /li li RUGGEDCOM ROX RX5000 vers:intdot/ lt;2.17.1 nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.1 /td td Siemens /td td Siemens Ruggedcom Rox /td td Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Germany /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-40949 /a /h3 div class="csaf-accordion-content" p Affected devices do not properly sanitize user-supplied input in the Scheduler functionality of the Web UI, allowing commands to be injected into the task scheduling backend. This could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-40949" View CVE Details /a /p hr h4 Affected Products /h4 h5 Siemens Ruggedcom Rox /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Siemens /div div class="ics-version" strong Product Version: /strong br RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX