Ics
CVE-2026-12569: PTC Windchill/FlexPLM Deserialization RCE Exploited in Wild, CISA Deadline Today
A critical unauthenticated deserialization RCE in PTC Windchill and FlexPLM (CVE-2026-12569, CVSS 9.3) is being actively exploited with JSP web shells; CISA federal patch deadline is today.
CISA and the FBI Warn: Internet-Exposed Fuel Tank Gauges Are Under Active Attack
A June 2 joint advisory from CISA, the FBI, the NSA and five other agencies says attackers are compromising internet-exposed automatic tank gauge systems and modifying them through command execution. Shadowserver counts over 1,000 exposed, 909 in the US — on the same TCP port these consoles have answered on for a decade.
BRIDGE:BREAK — 22 Flaws in Lantronix and Silex Serial-to-IP Converters, ~20,000 Devices Exposed
Forescout's Vedere Labs disclosed 22 CVEs in Lantronix EDS3000PS/EDS5000 and Silex SD330-AC serial-to-IP converters, including unauthenticated RCE, hard-coded keys, and null admin passwords. Roughly 20,000 devices sit directly on the public internet.
ZionSiphon: OT Sabotage Malware Targeting Israeli Water and Desalination Plants
Darktrace dissects ZionSiphon, a politically motivated OT malware built to tamper with chlorine and pressure in Israeli water systems. Broken by bad crypto, but the blueprint is real.
CISA AA26-097A: CyberAv3ngers Exploit Rockwell PLCs Across US Water, Energy, and Government Systems
Six US agencies issue joint advisory after Iranian-affiliated CyberAv3ngers compromise Rockwell Allen-Bradley PLCs in water, energy, and government sectors, manipulating SCADA displays and control logic.
CVE-2026-4681: CVSS 10.0 Deserialization RCE in PTC Windchill Has German Police Knocking on Doors
A maximum-severity deserialization flaw in PTC Windchill and FlexPLM (CVE-2026-4681, CVSS 10.0) prompted German federal police to physically visit companies and wake up sysadmins. No patch yet. Here's what you need to know.
Ransomware Hits Minot Water Treatment Plant SCADA System, FBI Investigating
Ransomware compromised the SCADA server at Minot, North Dakota's water treatment plant, forcing 16 hours of manual operations. FBI released a statement today confirming active investigation.
CVE-2026-32746: 32-Year-Old GNU Telnetd Bug Gives Unauthenticated Attackers Root via Port 23
A CVSS 9.8 pre-authentication buffer overflow in GNU inetutils telnetd lets remote attackers get root before the login prompt. Patch is incomplete across major distros and a public PoC exists.
CVE-2026-1579: Critical PX4 Autopilot Flaw Gives Attackers Full Drone Control via MAVLink
CISA advisory for CVE-2026-1579 reveals a CVSS 9.8 authentication bypass in PX4 Autopilot that lets unauthenticated attackers gain shell access to drones over MAVLink.