Full Report
[Control systems] CISA ICS security advisories (AV26–391)
Analysis Summary
Based on the CISA ICS Security Advisories (AV26–391) released between April 20 and April 26, 2026, the following summary highlights the key vulnerabilities across critical infrastructure and IoT devices.
*(Note: Due to the high volume of advisories in this batch (19 products), this summary focuses on the most critical infrastructure components including Siemens, Networking, and Remote Access software.)*
---
# Vulnerability: Multi-Vendor Industrial Control Systems & Infrastructure Flaws (AV26–391)
## CVE Details
*While individual CVEs vary per product, the following represent the critical clusters in this advisory:*
- **CVE-2026-XXXXX** (Specific IDs range across vendors)
- **CVSS Score:** 5.3 to 9.8 (**Critical**)
- **CWE:** CWE-287 (Improper Authentication), CWE-121 (Stack-based Buffer Overflow), CWE-79 (Cross-site Scripting), CWE-77 (Command Injection).
## Affected Systems
- **Critical Infrastructure Management:**
- Siemens SINEC NMS (Prior to V4.0 SP3)
- Siemens Industrial Edge Management (Multiple versions)
- RUGGEDCOM CROSSBOW SAC & SAM-P (Prior to V5.8)
- **Networking & Communications:**
- Intrado 911 Emergency Gateway (EGW) (7.x, 6.x, 5.x)
- Silex Technology SD-330AC (1.42 and prior)
- **Physical Security & IoT:**
- Hangzhou Xiongmai (XM530 IP Camera)
- Milesight Cameras (Multiple models)
- Carlson Software VASCO-B GNSS Receiver (< 1.4.0)
- **Mobility:**
- Zero Motorcycles Firmware (< 44)
- Yadea T5 Electric Bicycle (All versions)
## Vulnerability Description
The advisories cover a broad spectrum of flaws:
- **Remote Code Execution (RCE):** Found in several IP camera systems and the Intrado 911 Gateway due to unauthenticated command injection points.
- **Privilege Escalation:** Affecting Siemens Industrial Edge and RUGGEDCOM components, allowing local or network-adjacent attackers to gain administrative control.
- **Information Disclosure:** Hardcoded credentials and insecure firmware storage in EV Charge Controllers (Hardy Barth) and GNSS receivers.
- **Denial of Service (DoS):** Siemens SCALANCE and SINEC NMS components are vulnerable to specially crafted packets that can crash management services.
## Exploitation
- **Status:** Vulnerabilities are currently categorized as **Not exploited** in the wild at the time of advisory, though PoCs for older Milesight and Xiongmai vulnerabilities are historically prevalent.
- **Complexity:** **Low** to **Medium** (Varies by product; many IoT flaws require zero user interaction).
- **Attack Vector:** Primarily **Network** (Remote) for management software; **Adjacent** or **Physical** for mobility/GNSS products.
## Impact
- **Confidentiality:** **High** (Exposure of 911 call data, system credentials, and GPS telemetry).
- **Integrity:** **High** (Potential for unauthorized modification of PLC configurations via SINEC NMS).
- **Availability:** **High** (Interruption of emergency services and industrial monitoring).
## Remediation
### Patches
- **Siemens Products:** Update to SINEC NMS V4.0 SP3 or newer. Apply firmware updates for RUGGEDCOM V5.8.
- **Silex Technology:** Update AMC Manager to V5.0.2 or higher.
- **Zero Motorcycles:** Flash firmware to Version 44 or higher via authorized service tools.
- **Hardy Barth:** Update EV Controller firmware beyond V2.3.81.
### Workarounds
- **Network Segmentation:** Isolate ICS networks from the business LAN and the public internet.
- **Physical Access:** Limit physical access to GNSS receivers and Electric Bicycle controllers to prevent unauthorized firmware tampering.
- **Disable Unused Services:** Disable Telnet and HTTP (unencrypted) on cameras and networking hardware.
## Detection
- **Indicators of Compromise:** Monitor for unusual outbound traffic from IP cameras to unknown IP addresses. Check for unauthorized administrative logins to Siemens management portals.
- **Detection methods:** Use industrial-focused IDS (Intrusion Detection Systems) to flag non-standard traffic patterns targeting ports 161 (SNMP) and 443 on OT management servers.
## References
- CISA ICS Advisories: hxxps[://]www[.]cisa[.]gov/news-events/cybersecurity-advisories
- Siemens Security Advisories: hxxps[://]www[.]siemens[.]com/cert/advisories
- Canadian Centre for Cyber Security: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-cisa-ics-security-advisories-av26-391