OT Vulnerability Feed

This is an advance notification of unspecified vulnerabilities in Catalyst Center and Secure Endpoint to be disclosed on July 1, 2026. Specific technical impact cannot be assessed until the actual vulnerability advisories are published.

An authenticated attacker could bypass access controls and modify critical program parameters on the myREX24V2 controller, potentially altering equipment behavior, process setpoints, or causing operational disruptions.

An attacker with network access to the device could modify critical settings and repeatedly disrupt operations, causing the cellular meter to lose communications and stop reporting usage data.

An attacker with local access to a system could exploit a malicious DLL file to perform unauthorized actions on the affected ABB control systems, potentially altering configurations or disrupting operations.

An attacker could run arbitrary code on the PTC camera, allowing them to disable video feeds, capture credentials, redirect streams to unauthorized locations, or use the device as a pivot point into your network infrastructure.

An attacker could trick a user into opening a malicious .ctl file in DAQFactory, leading to arbitrary code execution on the system where DAQFactory is running. This could allow the attacker to alter control logic, disable alarms, or shut down critical processes.

An attacker within Bluetooth range could intercept health data transmitted by the glucose monitor or prevent patients from connecting their devices, disrupting diabetes management monitoring.

An attacker could flood the EtherNet/IP module with TCP connections, causing memory errors and disabling communication on the PLC module. This could halt process control if the module is critical to network communication or synchronization.

An attacker could flood the Ethernet module with packets to overwhelm it, causing the communication function to stop and disrupting data exchange between your PLC and other network devices. This could halt remote monitoring, control commands, or inter-device communication depending on your network architecture.

An attacker with administrative credentials could execute arbitrary code on your ISE or ISE Passive Identity Connector, gaining full control over your identity and access control system, which could allow them to bypass authentication or impersonate authorized users.

An attacker on your network can send specially crafted commands to a Serial Device Server to disrupt active serial sessions, causing loss of communication with connected equipment like PLCs, RTUs, or other serial devices. This could interrupt process monitoring or control operations depending on what devices are connected.

An attacker with network access to the Moxa Serial Device Server web interface could execute arbitrary commands with root privileges on the device, potentially disrupting serial-to-network communication and affecting any connected industrial equipment relying on this gateway. Memory disclosure via format string injection could reveal system information used to bypass security protections on the device.

An authenticated attacker can send a malicious JSON request to the WebSocket API on your serial device server, causing the device to become unavailable or reboot unexpectedly, disrupting communications from legacy serial equipment to your network.

An attacker with network access to RSLinx Classic could execute arbitrary code on the engineering workstation, potentially allowing them to modify control logic, alter process setpoints, or disrupt communication with PLCs and other control devices.

An attacker with network access could execute commands on the historian server or modify historical process data, potentially disrupting data logging for critical operations and enabling tampering with audit records that document plant activity.

An attacker could remotely trigger a major nonrecoverable fault on your PLC, stopping process execution and potentially requiring manual intervention to recover. This could result in extended downtime of critical production systems.

An attacker with network access to a CompactLogix PLC could crash the controller, halting process control and production until the device is manually restarted. This causes immediate loss of operational capability.

An attacker could execute privileged commands on the FactoryTalk Analytics system, potentially modifying production analytics, alarm configurations, or system settings that control how operations are monitored and optimized.

An attacker with network access to an EtherNet/IP adapter could gain unauthorized control of the device, potentially taking over engineering credentials and causing process disruptions or shutdown of FLEX I/O modules in your facility.

An attacker can crash RSLinx Classic, making it unresponsive and preventing operators from monitoring or controlling connected devices until the application is manually restarted.

An authenticated attacker could write or overwrite any file on the SD-WAN Manager system, potentially gaining full control of the device and the WAN infrastructure it manages. This could allow an attacker to disrupt network connectivity across all managed sites or alter network routing behavior.

An attacker with physical access to the device can extract the disk encryption key by eavesdropping on TPM communications, leading to full compromise of the encrypted disk and any stored sensitive data or credentials.

An attacker could obtain hard-coded credentials from the mobile app, then use them to access the cloud MQTT broker to view telemetry from all connected robots and send operational commands that could alter robot behavior or halt operations.

An attacker could impersonate your connected devices, intercept or alter sensor data and control commands, or extract stored credentials—leading to unauthorized access to your network and loss of device control.

An unauthenticated attacker with local access to the network could view live video feeds and gain administrative control of the camera, potentially allowing them to disable surveillance, alter recordings, or use the compromised device as an entry point to other network systems.

Local users with low privileges can escalate their access to system administrator level, potentially allowing an attacker to modify process configurations, halt operations, or exfiltrate sensitive data from automated manufacturing systems. This is a high-risk vulnerability actively being exploited in the wild.

An attacker with local access to a workstation running Freelance Security Lock could use keyboard shortcuts or accessibility features to bypass or disable the security lock, potentially stopping the application or making it inaccessible to authorized operators.

An attacker could crash an affected B&R terminal or corrupt data in memory, potentially halting production operations or causing loss of process setpoints and program state.

A malicious administrator with web interface access could inject JavaScript code that executes in the browsers of other administrators, potentially stealing session tokens or triggering unauthorized firewall configuration changes. This affects only personnel with admin credentials who access the web interface.

A local user on a macOS device can discover the passcode that controls GlobalProtect app settings, then disable or uninstall the VPN client without authorization, losing remote access protection and endpoint security coverage.

An employee or contractor with access to a Linux workstation running Prisma Access Agent could bypass VPN protections and send network traffic outside the encrypted tunnel, potentially exposing sensitive operational data or command traffic to interception.

An authenticated user could send specially crafted tunnel traffic to force the firewall to reboot, causing network outages. Repeated attacks could leave the firewall stuck in maintenance mode, interrupting traffic flow until manual recovery.

An authorized user on a Linux workstation running Prisma Access Agent could escalate their privileges to run commands as root, potentially compromising the security of the entire endpoint and any systems it connects to, including your OT network if the workstation is used as an engineering or administrative access point.

An authenticated administrator with CLI access could escalate their privileges to root and perform unrestricted actions on the firewall, potentially altering security policies, routing, or blocking legitimate traffic that the device is protecting.

An authenticated administrator with CLI or web UI access can inject arbitrary commands and run them as root on your firewall, potentially compromising network traffic inspection, routing, or security policies. This could allow an insider attacker or compromised admin account to shut down the firewall, modify policies, or exfiltrate data.

An attacker with local administrative access to a Windows system running Hyper-V could execute arbitrary code with high privileges, potentially compromising the host system and any virtual machines it manages.

A remote attacker could trigger a buffer overflow in the Remote Desktop Client to execute code with the privileges of the connected user, potentially gaining control of the workstation or server.

An attacker could execute arbitrary code on a Windows desktop or server through the Remote Desktop Client, potentially gaining full control of the system and any connected equipment it manages or monitors.

An attacker with valid credentials on your network could exploit an integer overflow in the Windows Kerberos system to run unauthorized code on a domain controller, potentially compromising authentication for all connected systems and devices.

An attacker could exploit a use-after-free flaw in the Windows Kernel to remotely execute arbitrary code with kernel-level privileges, potentially allowing them to take full control of the system and access or manipulate any data or process running on it.

An attacker with valid domain credentials could run arbitrary code on your domain controller, potentially compromising all systems connected to your Active Directory infrastructure and disrupting authentication and authorization for your entire network.

An attacker with local access to a Windows system running DHCP client could read sensitive data from system memory, potentially exposing credentials or configuration information used by other processes on that system.

An attacker with local access to a Windows server running Hyper-V could execute arbitrary code with system privileges, potentially taking control of virtualized OT systems or the host itself.

An attacker with local access to a Windows system running Hyper-V could run code with the same privileges as the operating system, potentially compromising any virtual machines or services running on that hypervisor host.

An attacker who can reach your RDP service over the network could read sensitive memory data from your Windows system without any credentials, potentially exposing passwords, encryption keys, or configuration secrets.

A neighboring device on your network could exploit a flaw in Windows TCP/IP to gain system-level privileges on your Windows servers or workstations, allowing them to run commands, access data, or disrupt operations.

An attacker with valid credentials could crash the Kerberos authentication service on your domain controller or member server, making domain authentication unavailable and disrupting all networked operations that depend on it.

An authorized user or service account on a Windows system could escalate their privileges to system level, allowing them to take full control of the computer, modify industrial automation software, or alter system configurations critical to facility operations.

An attacker with local access to a Windows system could read sensitive information from the DHCP client service memory, potentially exposing network configuration details or credentials. This is a local information disclosure only and does not directly impact operational processes.

An attacker on your network could tamper with DHCP responses, potentially redirecting devices to malicious servers or disrupting network connectivity across your infrastructure.