Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ics (6 articles)Clear

CISA, FBI, NSA warn hackers are modifying internet-exposed fuel tank gauge (ATG) systems - prior activity linked to Iran

CISA, the FBI, the NSA, the Department of Energy, and partners have warned that threat actors are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage across the Energy, Chemical, Food and Agriculture, and Transportation sectors. Attackers gain access via authentication-bypass flaws, hardcoded credentials, OS command-execution bugs, SQL injection, and privilege escalation, then modify network settings, product identifiers, tank volumes, and pump controls, and can disable alerts - raising the risk of leaks or equipment failure. The advisory does not formally attribute the activity, but it follows May CNN reporting linking Iranian hackers to similar ATG breaches. Agencies urge removing ATG systems from the internet.

Check
Inventory automatic tank gauge (ATG) systems and confirm none are internet-exposed. Replace default passwords, enable MFA, and review device logs for unauthorized changes to settings, volumes, or pump controls.
Affected
Internet-exposed ATG systems across Energy, Chemical, Food and Agriculture, and Transportation sectors. Access via auth-bypass, hardcoded credentials, command-execution, SQL injection, and privilege-escalation flaws. Prior activity linked to Iran.
Fix
Remove ATG systems from the internet; restrict remote access via firewalls, VPNs, or ACLs. Replace default credentials, enforce MFA, apply updates, and monitor for unauthorized configuration changes.

Universal Robots PolyScope 5 cobots: unauthenticated RCE on Dashboard Server (CVE-2026-8153, CVSS 9.8) - patch out

Universal Robots, the Danish maker of the PolyScope 5 collaborative-robot controllers used across manufacturing, logistics, automotive, and healthcare, has patched CVE-2026-8153, a CVSS 9.8 OS command injection in the Dashboard Server interface. The server accepts user-controlled input and passes it to the underlying Linux OS without proper neutralization, so anyone with network access to the Dashboard Server port can achieve unauthenticated remote code execution on the robot controller - effectively a Linux machine wired directly into physical machinery. Vera Mens of Claroty Team82 discovered and reported the flaw through CISA and CERT/CC's VINCE coordination. Exploitation requires the Dashboard Server to be enabled in the UI.

Check
Inventory Universal Robots PolyScope 5 deployments and their firmware version. Identify whether the Dashboard Server is enabled and reachable from any network beyond the management VLAN.
Affected
Universal Robots PolyScope 5 controllers with the Dashboard Server enabled and its port reachable by the attacker. Cobots in manufacturing, logistics, automotive, and healthcare are typical deployments.
Fix
Apply Universal Robots' patch for CVE-2026-8153. Disable the Dashboard Server where not strictly needed. Place cobot controllers on a separate OT VLAN with strict ACLs from corporate networks.

Iran-linked hackers breached US gas station fuel-tank gauges - online ATG systems with no password protection

US officials believe Iranian-affiliated actors broke into internet-exposed automatic tank gauge (ATG) systems at gas stations across multiple states, then changed the displayed fuel levels without altering the actual amounts. The intrusions caused no shortages, but falsified ATG readings could theoretically hide a real fuel leak. ATGs have been a known soft target for over a decade. The activity tracks with a broader Iranian push during the war that began in late February: disruptions at US oil, gas, and water sites, shipping delays at Stryker, and the leak of FBI Director Kash Patel's emails. Attribution is preliminary because intruders left almost no forensic evidence.

Check
Inventory ATG and fuel-management endpoints. Search Shodan for your /27s on port 10001 (Veeder-Root) and similar ATG signatures. Pull access logs from internet-reachable OT controllers for unexpected reads or display changes.
Affected
US fuel retailers and distributors operating ATG systems (Veeder-Root, Franklin Electric INCON, Gilbarco) exposed to the internet with weak credentials. Same pattern applies to water utilities and other internet-facing ICS endpoints.
Fix
Remove ATG and OT management interfaces from the public internet. Put them behind VPN with MFA, segment OT from IT networks, and document manual gauging procedures for outages.

Polish intelligence says hackers attacked control systems at Polish water treatment plants

Polish intelligence service ABW announced Wednesday that hackers attacked the industrial control systems at multiple Polish water treatment plants. The Record reports the targeting profile is consistent with state-aligned activity - patient reconnaissance, careful access, no data destruction. Polish authorities have not formally attributed the attack but the timing (alongside Russia-Ukraine conflict and Russia's interest in Polish infrastructure as a NATO frontline state) is unmistakable. Similar incidents have been reported in Germany, Austria, and the Netherlands over the past 12 months. No service disruption was reported, but the access establishes pre-positioning.

Check
If you run water, electric, gas, or transport infrastructure, audit your industrial control system (ICS) and SCADA networks for unfamiliar VPN connections, new remote access tool installations, or anomalous outbound traffic since January.
Affected
Water utilities, power grid operators, and other critical infrastructure operators in NATO frontline states (Poland, Baltic states, Romania, Finland) and adjacent countries. Acute risk for utilities running internet-reachable HMI or engineering workstations. Smaller municipal water utilities without dedicated OT security staff are most exposed because they cannot detect patient state-actor reconnaissance.
Fix
Air-gap or one-way-data-diode-isolate ICS networks from corporate IT where possible. Inventory and remove any unauthorized remote-access tools (TeamViewer, AnyDesk, ScreenConnect) on engineering workstations. Apply CISA's water utility cyber guidance and Poland's CERT.PL recommendations. Conduct a tabletop exercise focused on prolonged ICS reconnaissance scenarios.

BRIDGE:BREAK - 22 new flaws expose ~20,000 internet-facing Lantronix and Silex serial-to-IP converters to full takeover

Forescout Vedere Labs disclosed BRIDGE:BREAK, a set of 22 new vulnerabilities in serial-to-IP converters from Lantronix and Silex that together expose roughly 20,000 devices visible on the open internet. Serial-to-IP converters bridge legacy serial-port equipment (older industrial PLCs, building-automation controllers, medical devices, laboratory instruments) to modern TCP/IP networks, so attackers compromising them can read and tamper with the raw serial traffic flowing to field equipment. Eight flaws affect Lantronix EDS3000PS and EDS5000 series; fourteen affect Silex SD330-AC. The categories span unauthenticated remote code execution (CVE-2026-32955, CVE-2026-32956, CVE-2026-32961, CVE-2025-67034 through 67038, CVE-2025-67041), authentication bypass (CVE-2026-32960, CVE-2025-67039), full device takeover (CVE-2026-32965, CVE-2025-70082, plus FSCT-2025-0021 with no CVE assigned), firmware tampering (CVE-2026-32958), arbitrary file upload (CVE-2026-32957), and information disclosure (CVE-2026-32959). The researchers describe a realistic kill chain where an attacker first pops an internet-facing edge device like an industrial router, then pivots through a compromised serial-to-IP converter to silently alter sensor readings or actuator commands flowing to field assets - data-integrity attacks that are invisible to most OT monitoring. Both vendors have released firmware updates.

Check
Search your asset inventory and external-attack-surface data for any Lantronix EDS3000PS, EDS5000, or Silex SD330-AC devices, then confirm they are both patched and not directly internet-exposed.
Affected
Lantronix EDS3000PS Series and EDS5000 Series; Silex SD330-AC. Vulnerable firmware versions listed per device in the respective Lantronix and Silex advisories.
Fix
Apply the firmware updates Lantronix and Silex have released for each affected model (see vendor advisories for version-specific fixes). Replace default credentials, put these devices behind network segmentation, and remove all direct internet exposure - serial-to-IP converters have no business being reachable from the public internet. Add Shodan/Censys monitoring for your ASN to catch rogue or forgotten deployments. If you cannot patch immediately, take the devices offline rather than leave them on the internet.

FBI and CISA warn Iranian hackers are targeting internet-exposed Rockwell PLCs at US water and energy facilities

A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.

Check
If you operate or support organizations with industrial control systems, check whether any Rockwell/Allen-Bradley PLCs are directly exposed to the internet.
Affected
Organizations running internet-exposed Rockwell Automation and Allen-Bradley PLCs, particularly in water treatment, energy, and government facilities. Any PLC reachable from the public internet without VPN or network segmentation is at risk.
Fix
Remove all PLC management interfaces from internet exposure immediately - these should only be accessible via dedicated OT networks or VPN. Change all default credentials on PLCs and HMI systems. Monitor for unauthorized access to PLC project files and unexpected changes to HMI/SCADA displays. Follow the joint advisory's indicators of compromise and detection signatures.