RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: ics (3 articles)Clear
threat
2026-05-07

Polish intelligence says hackers attacked control systems at Polish water treatment plants

Polish intelligence service ABW announced Wednesday that hackers attacked the industrial control systems at multiple Polish water treatment plants. The Record reports the targeting profile is consistent with state-aligned activity - patient reconnaissance, careful access, no data destruction. Polish authorities have not formally attributed the attack but the timing (alongside Russia-Ukraine conflict and Russia's interest in Polish infrastructure as a NATO frontline state) is unmistakable. Similar incidents have been reported in Germany, Austria, and the Netherlands over the past 12 months. No service disruption was reported, but the access establishes pre-positioning.

polandabwwater-treatmenticsscadacritical-infrastructurerussia-aligned-suspectednato-frontlinepre-positioningreconnaissance
Check
If you run water, electric, gas, or transport infrastructure, audit your industrial control system (ICS) and SCADA networks for unfamiliar VPN connections, new remote access tool installations, or anomalous outbound traffic since January.
Affected
Water utilities, power grid operators, and other critical infrastructure operators in NATO frontline states (Poland, Baltic states, Romania, Finland) and adjacent countries. Acute risk for utilities running internet-reachable HMI or engineering workstations. Smaller municipal water utilities without dedicated OT security staff are most exposed because they cannot detect patient state-actor reconnaissance.
Fix
Air-gap or one-way-data-diode-isolate ICS networks from corporate IT where possible. Inventory and remove any unauthorized remote-access tools (TeamViewer, AnyDesk, ScreenConnect) on engineering workstations. Apply CISA's water utility cyber guidance and Poland's CERT.PL recommendations. Conduct a tabletop exercise focused on prolonged ICS reconnaissance scenarios.
vulnerability
CVE-2026-32955CVE-2026-32956CVE-2026-32957CVE-2026-32958CVE-2026-32959CVE-2026-32960CVE-2026-32961CVE-2026-32962CVE-2026-32963CVE-2026-32964CVE-2026-32965CVE-2025-67034CVE-2025-67035CVE-2025-67036CVE-2025-67037CVE-2025-67038CVE-2025-67039CVE-2025-67041CVE-2025-70082CVE-2024-24487CVE-2015-5621
2026-04-21

BRIDGE:BREAK - 22 new flaws expose ~20,000 internet-facing Lantronix and Silex serial-to-IP converters to full takeover

Forescout Vedere Labs disclosed BRIDGE:BREAK, a set of 22 new vulnerabilities in serial-to-IP converters from Lantronix and Silex that together expose roughly 20,000 devices visible on the open internet. Serial-to-IP converters bridge legacy serial-port equipment (older industrial PLCs, building-automation controllers, medical devices, laboratory instruments) to modern TCP/IP networks, so attackers compromising them can read and tamper with the raw serial traffic flowing to field equipment. Eight flaws affect Lantronix EDS3000PS and EDS5000 series; fourteen affect Silex SD330-AC. The categories span unauthenticated remote code execution (CVE-2026-32955, CVE-2026-32956, CVE-2026-32961, CVE-2025-67034 through 67038, CVE-2025-67041), authentication bypass (CVE-2026-32960, CVE-2025-67039), full device takeover (CVE-2026-32965, CVE-2025-70082, plus FSCT-2025-0021 with no CVE assigned), firmware tampering (CVE-2026-32958), arbitrary file upload (CVE-2026-32957), and information disclosure (CVE-2026-32959). The researchers describe a realistic kill chain where an attacker first pops an internet-facing edge device like an industrial router, then pivots through a compromised serial-to-IP converter to silently alter sensor readings or actuator commands flowing to field assets - data-integrity attacks that are invisible to most OT monitoring. Both vendors have released firmware updates.

lantronixsilexserial-to-ipot-securityicsrceforescoutbridge-break
Check
Search your asset inventory and external-attack-surface data for any Lantronix EDS3000PS, EDS5000, or Silex SD330-AC devices, then confirm they are both patched and not directly internet-exposed.
Affected
Lantronix EDS3000PS Series and EDS5000 Series; Silex SD330-AC. Vulnerable firmware versions listed per device in the respective Lantronix and Silex advisories.
Fix
Apply the firmware updates Lantronix and Silex have released for each affected model (see vendor advisories for version-specific fixes). Replace default credentials, put these devices behind network segmentation, and remove all direct internet exposure - serial-to-IP converters have no business being reachable from the public internet. Add Shodan/Censys monitoring for your ASN to catch rogue or forgotten deployments. If you cannot patch immediately, take the devices offline rather than leave them on the internet.
threat
2026-04-07

FBI and CISA warn Iranian hackers are targeting internet-exposed Rockwell PLCs at US water and energy facilities

A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.

iranicsplcrockwellcritical-infrastructurefbicisawaterenergy
Check
If you operate or support organizations with industrial control systems, check whether any Rockwell/Allen-Bradley PLCs are directly exposed to the internet.
Affected
Organizations running internet-exposed Rockwell Automation and Allen-Bradley PLCs, particularly in water treatment, energy, and government facilities. Any PLC reachable from the public internet without VPN or network segmentation is at risk.
Fix
Remove all PLC management interfaces from internet exposure immediately - these should only be accessible via dedicated OT networks or VPN. Change all default credentials on PLCs and HMI systems. Monitor for unauthorized access to PLC project files and unexpected changes to HMI/SCADA displays. Follow the joint advisory's indicators of compromise and detection signatures.