Security & IT News

One leading privacy lawmaker said it was time to "start treating the adtech industry as a national security threat."

Most malicious open source packages now mimic real code rather than rely on typosquatting

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. "The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf said. "Threat actors disguised the credential stealer payload as a Fortinet endpoint

In this article Pre-encryption File encryption Post-encryption Defending against The Gentlemen ransomware Microsoft Defender detections and hunting guidance Indicators of compromise Ransomware that combines robust encryption with rapid lateral movement significantly increases the risk and impact of an attack. The Gentlemen ransomware is a ransomware-as-a-service (RaaS) threat that is distinguished by its ability to pair its strong per-file encryption with an aggressive self-propagation capability designed to enable broad network compromise. In addition to using per-file ephemeral Curve25519 keys with XChaCha20 stream cipher, The Gentlemen ransomware attempts to spread across an environment using series of simultaneous, distinct lateral movement methods, increasing the likelihood of widespread impact once initial access is achieved. Understand the threat Protect against ransomware and extortion activity › Microsoft Threat Intelligence tracks the operators behind the ransomware as Storm-2697, a financially motivated threat actor that manages the RaaS platform known as “The Gentlemen” while affiliates carry out attacks. Emerging around mid-2025 , The Gentlemen initially started as a closed ransomware group then began offering its RaaS to affiliates in September 2025 . More recently, The Gentlemen operators established an official partnership with BreachForums, a popular cybercriminal marketplace, to recruit affiliates including penetration testers and initial access brokers. Given that The Gentlemen is already a widely adopted RaaS platform, this partnership may lead to increased activity as the program becomes accessible to a broader pool of threat actors. The operators behind the ransomware use double extortion tactics, encrypting data while also exfiltrating sensitive information to pressure victims through the threat of public release if the ransom is not paid. The ransomware is written in Go and obfuscated with Garble to target the Windows environment. Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia. In this blog, we present a detailed analysis of the Gentlemen ransomware encryptor, including its execution flow, defense evasion behaviors, encryption design, and lateral movement techniques. This research is intended to provide defenders, incident responders, and the broader security community with a better understanding of how the threat operates, from initial argument parsing and defense evasion, through its file encryption internals, to the full lateral movement that enables it to propagate across the network. We also provide mitigation guidance, Microsoft Defender detections, hunting queries, and indicators of compromise (IOCs) to help organizations defend against this threat and similar ransomware activity. Pre-encryption Command-line argument processing The ransomware operator can control T

An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances. [...]

MSPs don't lack security data. They struggle to separate real threats from alert noise. Kaseya explains how SIEM helps MSPs improve visibility, reduce fatigue, and respond faster. [...]

Microsoft has come out strongly in favor of Coordinated Vulnerability Disclosure (CVD), urging the research community to share their findings and give affected vendors an opportunity to better understand the impact and address them before they are publicly disclosed. The development comes after a researcher named Chaotic Eclipse (aka Nightmare-Eclipse) disclosed details of multiple zero-day

Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, and enough exposed infrastructure to make you wonder if prod is just a public beta now - meanwhile some researcher casually drops a technique that turns a "minor" foothold into total account

This week on Experts on Experts, I’m joined by Sergio Alonso – Rapid7’s Director of Trust, Risk, and Compliance – to talk about how compliance is changing and why many security teams are rethinking the way they approach readiness, reporting, and operational risk. One of the biggest themes in the conversation is that compliance is no longer something organizations can treat as a point-in-time exercise. Frameworks like NIS2 and DORA are increasing expectations around resilience and accountability, while cloud environments and faster release cycles make it harder to prove that controls are working consistently over time. We also discuss the growing gap between security operations and compliance reporting. Security teams generate huge amounts of operational data every day, but translating that into evidence regulators, auditors, and leadership teams can actually use remains a challenge. The conversation looks at how organizations are trying to reduce manual effort, where automation can genuinely help, and why visibility and ownership are becoming more important as regulatory pressure grows. Organizations still treat compliance as separate from day-to-day security operations, and the teams making the most progress are bringing those two worlds closer together, treating compliance less like a reporting layer and more like part of the operational workflow itself. Watch the full episode below to hear the full conversation and how organizations are approaching compliance, risk, and resilience heading into 2026. ⠀

A Romanian national was sentenced this week to 56 months in federal prison for breaking into an Oregon state government computer network and fr cyberattacks targeting dozens of other U.S. victims. [...]

Many organizations can detect network issues quickly, but investigations and coordination often slow incident resolution. This webinar explores how automation and AI-assisted workflows can help IT teams reduce delays and improve response times. [...]

p CISA is prioritizing the response to multiple emerging software supply chain intrusion campaigns targeting developer ecosystems Continuous Integration/Continuous Development (CI/CD) pipelines. These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code (VS Code) extension and the “Megalodon” supply chain intrusion campaign, demonstrate how cyber threat actors are abusing tools and processes that support enterprise, cloud, and DevOps environments—specifically CI/CD pipelines, code extensions and workflows. nbsp; /p p Threat actors leveraged a prior compromise of Nx developer systems to compromise a GitHub employee’s device nbsp;through a poisoned third-party VS Code extension, resulting in unauthorized access and exfiltration of internal GitHub repositories. The malicious extension version (18.95.0) was distributed through VS Code’s automatic update mechanism, meaning systems with Nx Console previously installed may have received the malicious build without developers taking any manual installation action. GitHub released a a href="https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w" target="_blank" security advisory /a on this activity, and a href="https://www.cve.org/CVERecord?id=CVE-2026-48027" target="_blank" CVE-2026-48027 /a has been assigned to the malicious version of Nx Console and added to a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" CISA’s Known Exploited Vulnerabilities (KEV) Catalog /a . /p p Additionally, in a campaign known as “Megalodon,” a cyber threat actor injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens, impacting both development and deployment pipelines in public GitHub repositories. /p p CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise: /p ul li Monitor and audit workflow files and contributor activity for suspicious pull requests and direct commits, particularly those authored by automated accounts. /li li Revert unauthorized changes, especially from automated accounts, e.g., code build-bot /code , code auto-ci /code , code ci-bot /code , code pipeline-bot /code and especially those made after May 18, 2026. /li /ul p If your organization discovers a compromise resulting from previously compromised GitHub or Nx Console software, CISA recommends the following steps: /p ul type="square" li Conduct a forensics review of CI/CD logs, cloud audit trails, and affected developer machines. nbsp; /li li Rotate/revoke all secrets including: all credentials, tokens, and secrets accessible to CI/CD pipelines, including API keys, cloud provider credentials (Amazon Web Services, Google Cloud Platform, Microsoft Azure), SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, GitHub/GitLab/Bitbucket tokens, and developer or pipeline secrets. nbsp; /li li Notify proper stakeholders if necessary. /li /ul p CISA recommends the followin

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could result in an attacker gaining administrator access to the device. /strong /p p The following versions of MacGregor Voyage Data Recorder (VDR) G4e are affected: /p ul li MacGregor Voyage Data Recorder (VDR) G4e /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.3 /td td Danelec /td td MacGregor Voyage Data Recorder (VDR) G4e /td td Use of Default Credentials, Insufficiently Protected Credentials, Use of Password Hash With Insufficient Computational Effort, Use of Hard-coded Credentials, Files or Directories Accessible to External Parties /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Denmark /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-42941 /a /h3 div class="csaf-accordion-content" p The VDR device includes a default username and password, with no enforced password change. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-42941" View CVE Details /a /p hr h4 Affected Products /h4 h5 MacGregor Voyage Data Recorder (VDR) G4e /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Danelec /div div class="ics-version" strong Product Version: /strong br Danelec MacGregor Voyage Data Recorder (VDR) G4e: lt;V5.250 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br Danelec, who own MacGregor, has released firmware version V5.250 to resolve these vulnerabilities. Users of MacGregor Voyage Data Recorder (VDR) G4e devices are encouraged to update the firmware at the earliest service attendance rather than waiting for an annual performance test. Contact Danelec with additional questions: https://www.danelec.com/contact br a href="https://www.danelec.com/contact" https://www.danelec.com/contact /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/1392.html" CWE-1392 Use of Default Credentials /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role="columnhea

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-06.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability may grant full unauthorized access to camera feeds and settings. /strong /p p The following versions of KMW CCTV Security Cameras are affected: /p ul li KM-IP521 IPCAM_V4.04.91.230307 /li li KM-IP421 IPCAM_V4.04.53.210416 nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.1 /td td KMW /td td KMW CCTV Security Cameras /td td Unverified Password Change /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Government Services and Facilities, Critical Manufacturing, Financial Services, Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Romania /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-5386 /a /h3 div class="csaf-accordion-content" p The affected product is vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-5386" View CVE Details /a /p hr h4 Affected Products /h4 h5 KMW CCTV Security Cameras /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br KMW /div div class="ics-version" strong Product Version: /strong br KMW KM-IP521: IPCAM_V4.04.91.230307, KMW KM-IP421: IPCAM_V4.04.53.210416 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br KMW has issued a firmware update to address this vulnerability. The firmware update can be found at https://main.kmw.ro/pub/Firmware/521_421.zip. br a href="https://main.kmw.ro/pub/Firmware/521_421.zip" https://main.kmw.ro/pub/Firmware/521_421.zip /a /p p strong Vendor fix /strong br KM-IP421 - will lose the cloud authorization after this update so users will need to contact customer support to re-authorize the P2P connection. /p p strong Mitigation /strong br KMW recommends connecting surveillance equipment on a separate network, allow only specific devices access to the internet, check for firmware updates regularly, and use cloud connections responsibly. /p p strong Mitigation /strong br If there are any issues customers are encouraged to contact

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-08.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could allow an attacker to gain administrator rights or execute code on the affected device. /strong /p p The following versions of XCharge C6 are affected: /p ul li C6 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td XCharge /td td XCharge C6 /td td Download of Code Without Integrity Check, Stack-based Buffer Overflow, Initialization of a Resource with an Insecure Default /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-9037 /a /h3 div class="csaf-accordion-content" p A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device, /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-9037" View CVE Details /a /p hr h4 Affected Products /h4 h5 XCharge C6 /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br XCharge /div div class="ics-version" strong Product Version: /strong br XCharge C6: lt;May_22_2026 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br XCharge has confirmed that the update has been deployed for all affected chargers. Users with questions can reach out to XCharge Support for further details if needed. https://www.xcharge.com/contact br a href="https://www.xcharge.com/contact" https://www.xcharge.com/contact /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/494.html" CWE-494 Download of Code Without Integrity Check /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th r

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-05.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability allows an attacker's malicious script to execute in the browser of any authenticated user or administrator who accesses the affected interface. This could lead to compromise of user sessions, execution of unauthorized actions with the victim's privileges, exposure or manipulation of sensitive data, and degradation of overall system integrity. /strong /p p The following versions of CP Plus 8 Ch. Network Video Recorder are affected: /p ul li CP-UNR-108F1 Hardware V1.0 /li li CP-UNR-108F1 Web V3.2.7.128806 nbsp; /li li CP-UNR-108F1 System V4.001.00AT009.0.R nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.4 /td td CP Plus /td td CP Plus 8 Ch. Network Video Recorder /td td Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Critical Manufacturing, Emergency Services /li li strong Countries/Areas Deployed: /strong India, Nepal, United Arab Emirates, Gambia /li li strong Company Headquarters Location: /strong India /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-6824 /a /h3 div class="csaf-accordion-content" p A stored Cross-Site Scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-6824" View CVE Details /a /p hr h4 Affected Products /h4 h5 CP Plus 8 Ch. Network Video Recorder /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br CP Plus /div div class="ics-version" strong Product Version: /strong br CP Plus CP-UNR-108F1 Hardware: V1.0, CP Plus CP-UNR-108F1 Web: V3.2.7.128806, CP Plus CP-UNR-108F1 System: V4.001.00AT009.0.R /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br CP Plus recommends updating the firmware on the device to the latest firmware version. /p p strong Mit

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-148-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to read and write arbitrary handle values and change clinical readings, which could result in taking control of the device and lead to patient harm. /strong /p p The following versions of Fourth Frontier Frontier X Mobile Application, Frontier X2 are affected: /p ul li Frontier X Android application vers lt;v15.0.0 /li li Frontier X IOS application vers lt;v25.0.0 /li li Frontier X2 vers:all/* /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.8 /td td Fourth Frontier /td td Fourth Frontier Frontier X Mobile Application, Frontier X2 /td td Missing Authentication for Critical Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Healthcare and Public Health /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-5768 /a /h3 div class="csaf-accordion-content" p The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and fuzzing characteristic values to induce unexpected behavior. Additionally, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-5768" View CVE Details /a /p hr h4 Affected Products /h4 h5 Fourth Frontier Frontier X Mobile Application, Frontier X2 /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Fourth Frontier /div div class="ics-version" strong Product Version: /strong br Fourth Frontier Frontier X Android application: lt;v15.0.0, Fourth Frontier Frontier X IOS application: lt;v25.0.0, Fourth Frontier Frontier X2: vers:all/* /div div class="ics-sta

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-04.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could gain physical, unauthorized access to a Building where the product is installed /strong /p p The following versions of ABB Busch-Welcome 2 Wire Door Opener Actuator are affected: /p ul li Switch Actuator 4 DU vers:all/* nbsp; /li li Switch actuator, door/light 4 DU vers:all/* nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 6.8 /td td ABB /td td ABB Busch-Welcome 2 Wire Door Opener Actuator /td td Active Debug Code /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-7705 /a /h3 div class="csaf-accordion-content" p Authentication bypass due to compatibility mode enabled by default /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-7705" View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB Busch-Welcome 2 Wire Door Opener Actuator /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br ABB /div div class="ics-version" strong Product Version: /strong br Switch Actuator 4 DU -83330 - All Versions, Switch actuator, door/light 4 DU -83330-500 - All Versions /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br The following actions need to be executed on premise where the respective Busch-Welcome® System is installed: • While the Busch-Welcome® System is in operation, toggle the mode switch on the product from “Door-Open” - to “Light” – Mode, wait one second and switch back to “Door-Open” - Mode. • Restart the Busch-Welcome® System with a Power reset (mains power off and on again). By executing the above steps, the system will recalibrate itself during boot up and will correct the misconfiguration automatically. ABB recommends that customers apply the above listed actions at the earliest convenience. /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/489.html" CWE-489 Active Debug Code /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tables

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-02.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could result in an attacker gaining administrator access to the device. /strong /p p The following versions of Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter are affected: /p ul li USR-W610 RS232/485 to Wi-Fi/Ethernet Converter 7.03T.07 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td Jinan USR IOT Technology Limited (PUSR) /td td Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter /td td Use of Hard-coded Credentials /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong China /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-7786 /a /h3 div class="csaf-accordion-content" p The device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device services. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-7786" View CVE Details /a /p hr h4 Affected Products /h4 h5 Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Jinan USR IOT Technology Limited (PUSR) /div div class="ics-version" strong Product Version: /strong br Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter: 7.03T.07 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Jinan USR IOT Technology Limited (PUSR) did not respond to CISA's attempts at coordination. Users of PUSR USR-W610 devices are encouraged to contact PUSR and keep their systems up to date. /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/798.html" CWE-798 Use of Hard-coded Credentials /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role="columnheader" Base Score /th th role="columnheader" Base Severity /th th ro

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-07.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Schneider Electric is aware of a vulnerability in its EcostruxureTM Machine Expert HVAC product. The [EcostruxureTM Machine Expert HVAC](https://www.se.com/ww/en/download/document/EcoStruxureME_HVAC/) product is a programming software for Modicon M171-M172 logic controllers. Failure to apply the remediation provided below may risk in revealing sensitive information, which could result in disclosing protected source code, leading to loss of confidentiality. /strong /p p The following versions of Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01) are affected: /p ul li Ecostruxure™ Machine Expert HVAC vers lt;1.10.0 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 5.5 /td td Schneider Electric /td td Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01) /td td Cleartext Storage of Sensitive Information /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Chemical, Critical Manufacturing, Energy, Water and Wastewater /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong France /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-6332 /a /h3 div class="csaf-accordion-content" p CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, when an authorized attacker accesses the source code for editing or compiling it. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-6332" View CVE Details /a /p hr h4 Affected Products /h4 h5 Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01) /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Schneider Electric /div div class="ics-version" strong Product Version: /strong br Ecostruxure™ Machine Expert HVAC Versions prior to 1.10.0 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br Version 1.10.0 of Ecostruxure™ Machine Expert HVAC includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/download/document/EcoStruxureME_HVAC_1_10_0/ nbsp; br a href="https://www.se.com/ww/en/download/document/EcoStruxureME_HVAC_1_10_0/"