CISA, the FBI, the NSA, the Department of Energy, and partners have warned that threat actors are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage across the Energy, Chemical, Food and Agriculture, and Transportation sectors. Attackers gain access via authentication-bypass flaws, hardcoded credentials, OS command-execution bugs, SQL injection, and privilege escalation, then modify network settings, product identifiers, tank volumes, and pump controls, and can disable alerts - raising the risk of leaks or equipment failure. The advisory does not formally attribute the activity, but it follows May CNN reporting linking Iranian hackers to similar ATG breaches. Agencies urge removing ATG systems from the internet.
Universal Robots, the Danish maker of the PolyScope 5 collaborative-robot controllers used across manufacturing, logistics, automotive, and healthcare, has patched CVE-2026-8153, a CVSS 9.8 OS command injection in the Dashboard Server interface. The server accepts user-controlled input and passes it to the underlying Linux OS without proper neutralization, so anyone with network access to the Dashboard Server port can achieve unauthenticated remote code execution on the robot controller - effectively a Linux machine wired directly into physical machinery. Vera Mens of Claroty Team82 discovered and reported the flaw through CISA and CERT/CC's VINCE coordination. Exploitation requires the Dashboard Server to be enabled in the UI.
US officials believe Iranian-affiliated actors broke into internet-exposed automatic tank gauge (ATG) systems at gas stations across multiple states, then changed the displayed fuel levels without altering the actual amounts. The intrusions caused no shortages, but falsified ATG readings could theoretically hide a real fuel leak. ATGs have been a known soft target for over a decade. The activity tracks with a broader Iranian push during the war that began in late February: disruptions at US oil, gas, and water sites, shipping delays at Stryker, and the leak of FBI Director Kash Patel's emails. Attribution is preliminary because intruders left almost no forensic evidence.
Polish intelligence service ABW announced Wednesday that hackers attacked the industrial control systems at multiple Polish water treatment plants. The Record reports the targeting profile is consistent with state-aligned activity - patient reconnaissance, careful access, no data destruction. Polish authorities have not formally attributed the attack but the timing (alongside Russia-Ukraine conflict and Russia's interest in Polish infrastructure as a NATO frontline state) is unmistakable. Similar incidents have been reported in Germany, Austria, and the Netherlands over the past 12 months. No service disruption was reported, but the access establishes pre-positioning.
Forescout Vedere Labs disclosed BRIDGE:BREAK, a set of 22 new vulnerabilities in serial-to-IP converters from Lantronix and Silex that together expose roughly 20,000 devices visible on the open internet. Serial-to-IP converters bridge legacy serial-port equipment (older industrial PLCs, building-automation controllers, medical devices, laboratory instruments) to modern TCP/IP networks, so attackers compromising them can read and tamper with the raw serial traffic flowing to field equipment. Eight flaws affect Lantronix EDS3000PS and EDS5000 series; fourteen affect Silex SD330-AC. The categories span unauthenticated remote code execution (CVE-2026-32955, CVE-2026-32956, CVE-2026-32961, CVE-2025-67034 through 67038, CVE-2025-67041), authentication bypass (CVE-2026-32960, CVE-2025-67039), full device takeover (CVE-2026-32965, CVE-2025-70082, plus FSCT-2025-0021 with no CVE assigned), firmware tampering (CVE-2026-32958), arbitrary file upload (CVE-2026-32957), and information disclosure (CVE-2026-32959). The researchers describe a realistic kill chain where an attacker first pops an internet-facing edge device like an industrial router, then pivots through a compromised serial-to-IP converter to silently alter sensor readings or actuator commands flowing to field assets - data-integrity attacks that are invisible to most OT monitoring. Both vendors have released firmware updates.
A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.