Full Report
[Control systems] CISA ICS security advisories (AV26–265)
Analysis Summary
This summary covers the CISA ICS Security Advisories (AV26–265) published between March 16 and March 22, 2026, as reported by the Canadian Centre for Cyber Security.
# Vulnerability: Multiple Critical Flaws in Industrial Control Systems (AV26–265)
## CVE Details
*Note: As this is a collective advisory summary, specific CVE IDs span a wide range. The following represent the critical trends in this batch:*
- **CVE ID:** Multiple (See specific CISA advisories for full list)
- **CVSS Score:** Range from **7.5 to 9.8** (**High to Critical**)
- **CWE:** CWE-287 (Improper Authentication), CWE-119 (Memory Corruption), CWE-79 (XSS), CWE-20 (Improper Input Validation).
## Affected Systems
- **Automated Logic:** WebCTRL Premium Server (prior to v8.5)
- **CODESYS / Festo:** CODESYS within Festo Automation Suite (Multiple versions)
- **CTEK:** Chargeportal (All versions)
- **IGL-Technologies:** eParking.fi (All versions)
- **Mitsubishi Electric:** CNC Series (Multiple versions)
- **Schneider Electric:**
- EcoStruxure Automation Expert (prior to v25.0.1)
- EcoStruxure Data Center Expert (v9.0 and prior)
- EcoStruxure PME and EPO
- Modicon Controllers (M241/M251/M258/LMC058/M262)
- **Siemens:** SICAM SIAPP SDK (prior to V2.1.7)
## Vulnerability Description
The vulnerabilities across these industrial products range from **unauthenticated remote code execution (RCE)** in controller modules to **improper access control** in EV charging and parking management portals. Many of the Schneider Electric Modicon flaws involve hardcoded credentials or insecure protocol implementations, allowing attackers to intercept or modify industrial logic.
## Exploitation
- **Status:** Most vulnerabilities are currently **Not exploited** in the wild at the time of publication, but several have **PoC availability** due to the nature of clear-text protocols or known legacy weaknesses.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Most can be exploited remotely if the ICS network is exposed).
## Impact
- **Confidentiality:** High (Risk of data theft from energy management systems)
- **Integrity:** High (Potential to modify PLC logic or machine tool parameters)
- **Availability:** High (Potential for Denial of Service (DoS) on critical infrastructure)
## Remediation
### Patches
- **Automated Logic:** Upgrade to WebCTRL v8.5 or later.
- **Schneider Electric:**
- EcoStruxure Automation Expert: Upgrade to v25.0.1.
- Modicon M241/M251: Upgrade to v5.4.13.12.
- Modicon M262: Upgrade to v5.4.10.12.
- **Siemens:** Upgrade SICAM SIAPP SDK to V2.1.7.
### Workarounds
- **Network Segmentation:** Isolate ICS/SCADA networks from the business network and the internet using demilitarized zones (DMZs).
- **Physical Lockdown:** For Mitsubishi CNC and Modicon controllers, ensure physical access is restricted to authorized personnel only.
- **Disable Unused Services:** Disable HTTP/FTP services on controllers if not required for operational tasks.
## Detection
- **Indicators of Compromise:** Monitor for unusual traffic on port 502 (Modbus), unauthorized configuration change logs, and repeated failed login attempts to web management interfaces.
- **Detection Methods:** Use ICS-aware Deep Packet Inspection (DPI) tools to identify non-standard function codes or unauthorized firmware upload commands.
## References
- CISA ICS Advisories: hxxps[://]www[.]cisa[.]gov/news-events/cybersecurity-advisories
- Canadian Centre for Cyber Security (AV26-265): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-cisa-ics-security-advisories-av26-265
- Schneider Electric Security Notifications: hxxps[://]www[.]se[.]com/ww/en/about-us/cybersecurity/safety-notifications.jsp