Full Report
[Control systems] CISA ICS security advisories (AV26–183)
Analysis Summary
Due to the broad nature of the Canadian Centre for Cyber Security (CCCS) summary alert AV26-183, which aggregates multiple disparate CISA advisories, the following is a high-level summary of the impacted products as reported for the week of February 23 to March 1, 2026.
# Vulnerability: Multi-Vendor Industrial Control Systems (CISA ICS Week of Feb 23, 2026)
## CVE Details
*Note: Due to the high volume of unique vulnerabilities across 13 vendors, specific CVEs are tracked under individual CISA advisories (ICSA-26-XXX).*
- **CVE ID:** Multiple (See CISA ICS Advisories for individual identifiers)
- **CVSS Score:** Range from **7.5 (High)** to **10.0 (Critical)** depending on the specific product.
- **CWE:** Commonly includes Improper Authentication (CWE-287), Hard-coded Credentials (CWE-259), and Cross-Site Scripting (CWE-79).
## Affected Systems
- **EV Charging Platforms:** Chargemap (all versions), CloudCharge (all versions), EV Energy (all versions), EV2GO (all versions), Mobility46 (all versions), SWITCH EV (all versions).
- **Industrial Automation/HVAC:**
- Copeland XWEB/XWEB Pro (Prior to v1.12.1)
- InSAT MasterSCADA BUK-TS (All versions)
- Johnson Controls Frick Quantum HD (Prior to v10.22)
- Schneider Electric EcoStruxure Building Operation Workstation (Multiple versions)
- Yokogawa CENTUM VP R6, R7 (Prior to R1.07.00)
- **IoT/Physical Security:**
- Gardyn Home Kit Firmware (Prior to master.619)
- Pelco Sarix Pro 3 Series IP Cameras (Multiple models)
## Vulnerability Description
The vulnerabilities range from **unauthenticated remote code execution (RCE)** in web-based management interfaces (Copeland/Johnson Controls) to **broken access control** in EV charging SaaS platforms. Several advisories specifically address the exposure of sensitive control functions to the public internet without adequate encryption or authentication.
## Exploitation
- **Status:** Most reported as "Not exploited in the wild" at the time of publication; however, PoCs are often developed shortly after ICSA releases for SCADA components.
- **Complexity:** Low to Medium.
- **Attack Vector:** Primarily **Network**.
## Impact
- **Confidentiality:** High (Potential theft of user data and system configurations)
- **Integrity:** High (Unauthorized modification of control logic or setpoints)
- **Availability:** High (Potential for Denial of Service (DoS) or system lockout)
## Remediation
### Patches
- **Copeland:** Upgrade to XWEB Pro v1.12.1 or later.
- **Gardyn:** Update firmware to version master.619.
- **Johnson Controls:** Apply Quantum HD v10.22 update.
- **Yokogawa:** Update CENTUM VP to R1.07.00.
- **SaaS Vendors (EV Charging):** Contact vendors directly for backend security patch confirmation, as many are cloud-based platforms.
### Workarounds
- Isolate ICS/SCADA networks from the public internet using firewalls.
- Utilize VPNs for remote access to Building Operation Workstations.
- Disable unused ports and services (specifically HTTP/Telnet) on IP cameras and controllers.
## Detection
- **Indicators of Compromise:** Unusual administrative login attempts from external IP addresses; unexpected system reboots; unauthorized changes to control setpoints.
- **Detection methods:** Use ICS-aware intrusion detection systems (IDS) to monitor for non-standard protocol traffic (e.g., Modbus, BACnet) originating from the WAN.
## References
- CISA ICS Advisories: hxxps[://]www[.]cisa[.]gov/news-events/cybersecurity-advisories
- CCCS Advisory (AV26-183): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-cisa-ics-security-advisories-av26-183