Full Report
[Control systems] CISA ICS security advisories (AV26–475)
Analysis Summary
The following summary is based on the CISA ICS security advisories (AV26–475) released between May 11 and May 17, 2026. This bulletin covers a wide range of industrial control systems (ICS) and operational technology (OT) products.
# Vulnerability: CISA ICS Security Advisory Bundle (AV26-475)
## CVE Details
*Note: Due to the high volume of products in this advisory, specific CVEs are summarized by vendor group.*
- **CVE IDs:** Multiple (refer to vendor advisories for specific IDs)
- **CVSS Score:** Range from **7.5 (High)** to **9.8 (Critical)** in typical ICS advisory bundles of this scope.
- **CWE:** Commonly includes CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-287 (Improper Authentication), and CWE-20 (Improper Input Validation).
## Affected Systems
- **ABB:**
- AC500 V3 Firmware (PM5xxx 3.9.0 and 3.9.0_HF1)
- AC500 V3 (prior to 3.9.0)
- Automation Builder Gateway (prior to 2.9.0)
- WebPro SNMP Card PowerValue (prior to 1.1.8.k and 1.1.8.p)
- **Siemens:**
- Industrial Devices (Multiple models/versions)
- Opcenter RDnL (All versions)
- Ruggedcom Rox MX/RX (prior to 2.17.1)
- SENTRON 7KT PAC1261 Data Manager (prior to 2.1.0)
- SIMATIC CN 4100 (prior to 5.0)
- SIMATIC S7 PLC Web Server, SIPROTEC 5, ROS#, Simcenter Femap, Solid Edge, Teamcenter, and gWAP.
- **Fuji Electric:** Tellus (version 5.0.2)
- **Subnet Solutions:** PowerSYSTEM Center (Multiple versions)
- **Universal Robots:** Polyscope 5 (prior to 5.25.1)
## Vulnerability Description
While specific flaws vary by product, the advisories generally cover:
1. **Remote Code Execution (RCE):** Flaws in memory handling in Siemens and ABB PLCs/Gateways allowing attackers to execute arbitrary code.
2. **Authentication Bypass:** Vulnerabilities in web servers (SIMATIC S7) and SNMP cards (ABB) that could allow unauthorized access to device configuration.
3. **Denial of Service (DoS):** Exploits targeting network stacks in Ruggedcom and communication modules in SIPROTEC 5.
4. **Information Disclosure:** Insecure handling of sensitive data in Subnet Solutions PowerSYSTEM Center and Siemens Teamcenter.
## Exploitation
- **Status:** Not currently reported as exploited in the wild (unless specified in individual deep-dive advisories); PoC status varies.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (primary focus for ICS web interfaces and gateways).
## Impact
- **Confidentiality:** High (Risk of sensitive industrial process data exposure).
- **Integrity:** High (Risk of unauthorized logic changes in PLCs).
- **Availability:** High (Potential for process disruption or device bricking).
## Remediation
### Patches
- **ABB:** Update AC500 V3 to firmware **v3.9.0** or later. Update Gateway to **v2.9.0**.
- **Siemens:** Update Ruggedcom Rox to **v2.17.1**, CN 4100 to **v5.0**, and Simcenter Femap to **v2512.0003**. For Opcenter RDnL, contact Siemens Support.
- **Universal Robots:** Upgrade Polyscope 5 to **v5.25.1**.
- **Fuji Electric:** Apply the latest security patch for Tellus **v5.0.2**.
### Workarounds
- Disable web servers and SNMP services if not required for operations.
- Isolate ICS/SCADA networks from the corporate LAN and the internet using demilitarized zones (DMZs).
- Use VPNs for all remote access and implement multi-factor authentication (MFA).
## Detection
- Monitor for unusual traffic on ports dedicated to industrial protocols (e.g., Modbus, S7Comm, SNMP).
- Audit system logs for failed login attempts or unauthorized configuration changes.
- Use ICS-aware Intrusion Detection Systems (IDS) to identify malformed packets targeting Siemens or ABB communication stacks.
## References
- CISA ICS Advisories: hxxps[://]www[.]cisa[.]gov/news-events/cybersecurity-advisories
- Canadian Centre for Cyber Security Bulletin (AV26-475): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-cisa-ics-security-advisories-av26-475
- Siemens ProductCERT: hxxps[://]new[.]siemens[.]com/global/en/products/services/cert[.]html
- ABB Cybersecurity Alerts: hxxps[://]global[.]abb/group/en/about/cybersecurity/alerts-and-notifications