News Summary week 04, 2026

Week 04 dominated by Pwn2Own Automotive 2026 with 76 zero-days in Tesla, EV chargers, and IVI systems; plus 8 new CISA ICS advisories affecting Schneider Electric, Rockwell, and Delta Electronics.
threat-intelligence
ICS
CPS
automotive
medical-devices
Published

January 24, 2026

Executive Summary

Week 04 of 2026 was defined by Pwn2Own Automotive 2026 in Tokyo, where security researchers earned over $1 million for discovering 76 zero-day vulnerabilities across Tesla infotainment, EV chargers (Alpitronic, ChargePoint, Phoenix Contact), and in-vehicle infotainment systems. CISA released 8 new ICS advisories on January 22, addressing critical flaws in Schneider Electric EcoStruxure Process Expert (privilege escalation), Delta Electronics DIAView (command injection, RCE), Rockwell Automation CompactLogix (DoS), and Weintek HMI systems (privilege manipulation). The healthcare sector saw continued ransomware targeting with Qilin hitting Covenant Health (480K patients affected).

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of January 16 - January 23, 2026

Critical Alerts & Advisories

CISA ICS Advisory Release - January 22, 2026

CISA released eight ICS advisories addressing vulnerabilities across major industrial vendors:

Schneider Electric EcoStruxure Process Expert (ICSA-26-022-01)

CVE-2025-13905 | CVSS 7.3 (High)

  • Vulnerability: Incorrect Default Permissions (CWE-276)
  • Impact: Privilege escalation through reverse shell when executable service binaries are modified in the installation folder
  • Affected Products: EcoStruxure Process Expert versions prior to 2025; EcoStruxure Process Expert for AVEVA System Platform (all versions)
  • Sectors: Critical Manufacturing, Energy, Commercial Facilities (worldwide)
  • Remediation: Update to EcoStruxure Process Expert version 2025

AutomationDirect CLICK PLC (ICSA-26-022-02)

Multiple CVEs | CVSS 6.1 (Medium)

CVE Vulnerability Impact
CVE-2025-67652 Weak password encoding Credential exposure
CVE-2025-25051 Plaintext password storage Privilege escalation
  • Affected Products: CLICK PLC C0-0x, C0-1x, and C2-x series
  • Sectors: Critical Manufacturing (worldwide)
  • Remediation: Update to firmware version V3.90
  • Note: Not remotely exploitable; requires project file access

Rockwell Automation CompactLogix 5370 (ICSA-26-022-03)

CVE-2025-11743 | CVSS 6.5 (Medium)

  • Vulnerability: Improper Input Validation
  • Impact: Denial-of-service via malformed CIP forward open message, requiring manual restart
  • Affected Versions: ≤34.013, ≤35.012, and 36.011
  • Patched Versions: 37.011+, 34.016, 35.015, 36.012
  • Attack Vector: Adjacent network access required

Johnson Controls iSTAR Configuration Utility (ICSA-26-022-04)

CVE-2025-26386

  • Impact: Operating system failure on the machine hosting the ICU tool
  • Sectors: Commercial Facilities, Critical Manufacturing, Energy, Government Services, Transportation Systems
  • Deployment: Worldwide (company HQ: Ireland)
  • Mitigation: Use VPNs for remote access; implement defense-in-depth strategies

Weintek cMT X Series HMI EasyWeb Service (ICSA-26-022-05)

CVE-2025-14750, CVE-2025-14751

  • Vulnerability: External Control of Assumed-Immutable Web Parameter (CWE-472)
  • Impact: Low-privileged user can manipulate parameters to escalate privileges and gain full device control
  • Affected Products: cMT3072XH, cMT3072XH(T), cMT-SVRX-820, cMT-CTRL01
  • Sectors: Critical Manufacturing (worldwide; HQ: Taiwan)
  • Remediation: Apply vendor security notice TEC25003E

Delta Electronics DIAView (ICSA-26-022-07)

Critical Severity - Multiple Vulnerabilities

CVE Vulnerability CVSS Impact
CVE-2026-0975 Command Injection (CWE-77) 7.8 Arbitrary code execution
CVE-2025-62582 Missing Authentication (CWE-306) 9.8 Unauthenticated remote access
  • Affected Versions: DIAView V4.2.0 and prior
  • Remediation: Update to DIAView v4.4 or later
  • Note: CVE-2025-62582 allows unauthenticated attackers full system compromise with no user interaction

Additional January 22, 2026 Advisories

  • ICSA-26-022-06: Hubitat Elevation Hubs
  • ICSA-26-022-08: EVMAPA

Earlier Week Advisories (January 20, 2026)

  • ICSA-26-020-02: Schneider Electric devices using CODESYS Runtime
  • ICSA-26-020-03: Rockwell Automation Verve Asset Manager

Automotive CPS Security

Pwn2Own Automotive 2026 - Record-Breaking Results

Pwn2Own Automotive 2026 concluded January 23 in Tokyo with unprecedented findings:

Overall Results:

  • Total Prize Money: $1,047,000
  • Zero-Day Vulnerabilities: 76 unique vulnerabilities
  • Duration: January 21-23, 2026

Winning Teams:

Rank Team Prize Money
1st Fuzzware.io $215,000
2nd Team DDOS $100,750
3rd Synacktiv $85,000

Day 1 Highlights (January 21)

37 zero-days discovered, $516,500 awarded

Tesla Infotainment Hacked:

  • Synacktiv Team chained an information leak and out-of-bounds write vulnerability
  • Gained root permissions via USB-based attack
  • Prize: $35,000

EV Charger Exploits:

Team Target Vulnerability Prize
Fuzzware.io Alpitronic HYC50 Out-of-bounds write $60,000
Fuzzware.io Autel MaxiCharger Auth bypass + signal manipulation $50,000
PetoWorks Phoenix Contact CHARX SEC-3150 3-bug chain (DoS, race condition) $50,000
Team DDOS ChargePoint Home Flex Command injection chain $40,000
299 (SKShieldus) Grizzl-E Smart 40A Hardcoded credentials (CWE-798) $40,000

In-Vehicle Infotainment (IVI):

  • Neodyme AG exploited Alpine iLX-F511 via stack buffer overflow ($20,000)
  • Synacktiv gained root on Sony XAV-9500ES ($20,000)

Day 2 Highlights (January 22)

29 additional zero-days, $439,250 awarded

Notable Exploits:

  • Rob Blakely (Technical Debt Collectors): Chained out-of-bounds read, memory exhaustion, and heap overflow against Automotive Grade Linux ($40,000)
  • Team MAMMOTH: Command injection against Alpine iLX-F511 ($10,000)
  • BoredPentester: Command injection against Kenwood DNR1007XR ($5,000)
  • Sina Kheirkhah (Summoning Team): Rooted Kenwood, ChargePoint, and Alpine systems ($40,000)

Day 3 Final (January 23)

Fuzzware.io secured victory with continued exploitation, including a bug collision on Alpine iLX-F511 ($2,500).

Key Vulnerability Categories Discovered:

  • Buffer overflows (stack and heap)
  • Command injection
  • Hardcoded credentials (CWE-798)
  • Authentication bypass (CWE-306)
  • Out-of-bounds read/write
  • Race conditions

Vendor Disclosure Timeline: 90 days for vendors to develop patches before public disclosure.

Connected Car Security Market

The connected car security market continues rapid growth:

  • 2025 Market Size: $3.37 billion
  • 2032 Projection: $6.99 billion (11% CAGR)
  • Drivers: Software-defined vehicles, OTA updates, V2X communication

Regulatory Context: UN R155 and ISO/SAE 21434 require automakers to demonstrate vehicles can resist modern cyberattacks through all production stages.

Medical Device CPS Security

Healthcare Ransomware Incidents

Covenant Health Breach (Qilin Ransomware)

  • Patients Affected: 478,188
  • Hospitals Impacted: St. Joseph Hospital (NH), St. Mary’s Health System (ME)
  • Impact: Increased wait times, paper-only lab orders, limited services
  • Threat Actor: Qilin ransomware gang (previously attacked UK hospitals)

AZ Monica Hospital (Belgium) - January 13, 2026

  • Attack detected at 6:32 AM
  • Systems compromised; details still emerging

HealthBridge Chiropractic (USA) - January 6, 2026

  • Qilin ransomware attack compromised systems and data

Manage My Health (New Zealand) - January 3, 2026

  • 400,000 medical documents of 120,000 patients compromised
  • Exposed: Hospital discharge summaries, specialist referrals, uploaded documents

Healthcare Cybersecurity Statistics

  • 93% of U.S. healthcare organizations experienced at least one cyberattack in the past year
  • 72% reported patient care disruption from incidents
  • 36% increase in healthcare ransomware attacks in 2025
  • 60% of health systems projected to experience disrupted care delivery due to ransomware by end of 2026

FDA Regulatory Update

FDA cybersecurity enforcement intensifying ahead of February 2, 2026 deadline:

  • Quality System Regulation (QMSR) takes effect
  • Shift from pre-market paperwork to auditing real-world security processes
  • Section 524B requirements: Security controls, vulnerability management, SBOM

HHS OCR January 2026 Newsletter: Emphasizes HIPAA Security Rule risk analysis requirements for ePHI, including risks from unpatched software.

Water & Wastewater Sector

Ongoing Hacktivist Threat

The December 2025 CISA advisory (AA25-343A) remains highly relevant:

Active Threat Groups:

  • Z-Pentest (most active ICS-targeting hacktivist group)
  • Dark Engine / Infrastructure Destruction Squad
  • Sector 16
  • TwoNet (Russian-aligned)
  • NoName057(16)

Attack Methods:

  • Internet-exposed HMI and SCADA interfaces
  • VNC takeovers
  • Default credentials on PLCs
  • Physical damage achieved (pipe bursts, tank overflows)

EPA Finding: Over 70% of water systems inspected since September 2023 violate basic cybersecurity requirements.

Energy & Power Grid

Poland Cyberattack Aftermath

Following the December 2025 attack revealed in Week 03:

  • Description: “Most powerful attack on the Polish power system in years”
  • Target: Communication between renewable energy installations and power distribution operators
  • Attribution: “Everything points to Russian sabotage” - Digital Affairs Minister
  • Outcome: Attack repelled; nearly 500,000 people would have lost heat

Energy Sector Ransomware Statistics

Per Trustwave 2025 Report:

  • 80% year-over-year increase in ransomware attacks on energy/utilities
  • 84% of incidents started via phishing
  • 96% involved remote service exploitation

2026 Energy Sector Outlook

  • By 2026, more than 1/3 of global energy infrastructure will have experienced cyber pre-positioning activity
  • Grid-scale battery energy storage systems (BESS) face heightened attack risks
  • Dragos tracking approximately 18 groups known to threaten the electrical grid
  • NERC warning: Susceptible grid points grow by approximately 60 per day

Manufacturing & Industrial

Manufacturing Ransomware Statistics

GuidePoint Security GRIT Report:

  • 58% year-over-year increase in ransomware victims
  • 14% of all attacks targeted manufacturing (top sector)
  • 50% of ransomware attacks targeted critical infrastructure

Top Threat Groups Targeting Manufacturing:

Group Known As Activity Level
GOLD SAHARA Akira High
GOLD FEATHER Qilin High
GOLD ENCORE PLAY High

Manufacturing Vulnerability Statistics

Claroty Analysis:

  • 40% of organizations have devices with known, actively exploited vulnerabilities insecurely connected to the Internet
  • 7% of devices harbor vulnerabilities linked to ransomware campaigns
  • 31% of organizations have critically exposed assets online

Recovery Trends:

  • Encryption rates falling to 40% (lowest in 5 years, down from 74%)
  • Extortion-only attacks surged to 10% (from 3% in 2024)
  • Average recovery cost: $1.3 million (24% decline)
  • 58% fully recover within one week (up from 44%)

Notable Manufacturing Incident Update

Jaguar Land Rover: Full recovery achieved in January 2026 following August 2025 attack:

  • Total cost: £1.9 billion (most economically damaging UK cyber incident)
  • Production halted for five weeks
  • Over 5,000 businesses in supply chain affected

Threat Intelligence Highlights

APT Activity Targeting ICS/OT

UAT-8837 (China-Nexus APT)

Per Cisco Talos:

  • Actively targeting critical infrastructure in North America since 2025
  • Gains access via vulnerability exploitation or stolen credentials
  • Uses open-source tools for data theft
  • Creates multiple persistence mechanisms
  • Constantly adapts to evade detection

Hacktivist ICS Targeting Escalation

Cyble Annual Threat Landscape Report 2025 (published January 15, 2026):

  • 2,451 ICS vulnerability disclosures across 152 vendors in 2025 (nearly double 2024)
  • August 2025: 802 ICS vulnerabilities disclosed in single month (45.26% of yearly total)
  • Hacktivists increasingly targeting exposed HMI and SCADA systems

2026 Predictions

Critical Infrastructure Outlook:

  • More OT-focused malware linked to geopolitical conflict
  • AI-enhanced attack capabilities accelerating reconnaissance
  • Ransomware-as-a-Service (RaaS) expanding into OT environments
  • Only 14% of organizations feel fully prepared for OT threats
  • Remote access accounts for 50% of incidents, but only 13% deploy advanced controls

Defensive Recommendations

Immediate Actions

For ICS/OT Operators:

  1. Apply January 22 CISA advisories: Prioritize Delta Electronics DIAView (CVSS 9.8), Schneider Electric EcoStruxure, Rockwell CompactLogix
  2. Patch AutomationDirect CLICK PLCs to firmware V3.90
  3. Update Weintek HMI devices per vendor security notice TEC25003E
  4. Audit internet-exposed HMI and SCADA interfaces
  5. Review VNC connections - disable or secure all internet-facing access

For Automotive Sector:

  1. Monitor Pwn2Own vendor patches (90-day disclosure window)
  2. Review EV charger security - ChargePoint, Autel, Phoenix Contact, Grizzl-E, Alpitronic devices demonstrated vulnerable
  3. Assess Tesla infotainment USB attack surface
  4. Review hardcoded credential usage in charging infrastructure

For Healthcare Organizations:

  1. Prepare for FDA QMSR enforcement (February 2, 2026)
  2. Review Qilin ransomware indicators - active against healthcare
  3. Implement network segmentation for medical devices
  4. Validate SBOM documentation for connected devices

Medium-Term Actions

  1. Implement comprehensive asset discovery using automated, non-invasive tools
  2. Deploy network segmentation with defense-in-depth strategies
  3. Establish continuous monitoring for OT environments
  4. Conduct vendor security assessments with focus on authentication controls
  5. Review remote access controls (accounts for 50% of incidents)

Strategic Priorities

  1. Reduce Internet Exposure: Single most important action per CISA
  2. Address Authentication Weaknesses: Multiple advisories this week involve missing/weak authentication
  3. Monitor Pwn2Own Disclosures: 76 zero-days will generate patches over coming months
  4. Prepare for AI-Enhanced Threats: Adversaries using AI for faster reconnaissance

Sources Referenced

RSS-Curated Sources:

Web Search Sources:

Note: Week 04 was dominated by Pwn2Own Automotive 2026, which revealed the most zero-day vulnerabilities ever discovered at an automotive security competition. The 76 vulnerabilities across Tesla, major EV chargers, and IVI systems highlight significant security gaps in connected vehicle ecosystems. Combined with 8 new CISA ICS advisories (including a CVSS 9.8 Delta Electronics DIAView vulnerability), continued Qilin ransomware activity against healthcare, and escalating hacktivist threats to critical infrastructure, organizations must prioritize patching, network segmentation, and authentication controls. The 90-day disclosure window for Pwn2Own findings means automotive vendors will be releasing critical patches through April 2026.