Executive Summary
Week 06 of 2026 saw Romania’s national oil pipeline operator Conpet fall victim to Qilin ransomware with nearly 1 TB of data exfiltrated, following an infostealer-enabled credential theft. CISA released 13 ICS advisories between January 29 and February 5, including a maximum CVSS 10.0 for the Synectix LAN 232 TRIO (a product from a defunct vendor with no fix possible) and critical flaws in Mitsubishi Electric MELSEC iQ-R PLCs. The FDA published updated cybersecurity guidance aligned with the new Quality Management System Regulation (QMSR) that took effect February 2, marking a shift from pre-market paperwork to post-market enforcement. Palo Alto Unit 42 disclosed TGR-STA-1030, a China-linked espionage group that compromised 70 government and critical infrastructure organizations across 37 countries using a novel eBPF kernel rootkit.
This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.
Week of January 30 - February 6, 2026
Critical Alerts & Advisories
CISA ICS Advisories – 13 New Advisories
CISA released 13 ICS advisories across three batches this week, with 8 rated CRITICAL and the highest achieving the maximum CVSS score of 10.0.
February 5, 2026 (6 advisories)
Hitachi Energy FOX61x and XMC20 – RADIUS Protocol Forgery (ICSA-26-036-05, ICSA-26-036-06)
| Field | Details |
|---|---|
| CVE | CVE-2024-3596 |
| CVSS | 9.0 CRITICAL |
| Vulnerability | Improper Enforcement of Message Integrity (CWE-924) – RADIUS protocol forgery via MD5 collision |
| Affected | FOX61x R18 and earlier; XMC20 R17A and earlier plus R18 |
| Fix | Update to R18 and enable RADIUS Message-Authenticator |
Mitsubishi Electric MELSEC iQ-R Series (ICSA-26-036-02)
| Field | Details |
|---|---|
| CVE | CVE-2025-15080 |
| CVSS | 9.4 CRITICAL |
| Vulnerability | Improper Validation of Specified Quantity in Input (CWE-1284) |
| Impact | Information disclosure, data tampering, and denial-of-service via proprietary protocol and SLMP communication |
| Affected | R08/16/32/120PCPU firmware version 48 and earlier |
| Fix | Update to firmware version 49 or later |
Ilevia EVE X1 Server – Building Automation Platform (ICSA-26-036-04)
| Field | Details |
|---|---|
| CVEs | 9 CVEs: CVE-2025-34184, CVE-2025-34183, CVE-2025-34186, CVE-2025-34187, CVE-2025-34513 (all 9.8 CRITICAL); CVE-2025-34185, CVE-2025-34517, CVE-2025-34518 (7.5 HIGH); CVE-2025-34512 (5.4 MEDIUM) |
| Vulnerabilities | OS command injection, plaintext credentials in logs, path traversal, XSS |
| Affected | EVE X1 Server firmware ≤4.7.18.0 |
| Fix | Update via Ilevia Manager; close port 8080; change all default passwords |
TP-Link VIGI Series IP Camera (ICSA-26-036-01)
| Field | Details |
|---|---|
| CVE | CVE-2026-0629 |
| CVSS | 8.8 HIGH |
| Vulnerability | Improper Authentication (CWE-287) – LAN attacker can reset admin password |
| Affected | 30+ VIGI camera models |
| Fix | Firmware updates available |
o6 Automation GmbH Open62541 OPC UA Stack (ICSA-26-036-03)
| Field | Details |
|---|---|
| CVE | CVE-2026-1301 |
| CVSS | 5.7 MEDIUM |
| Vulnerability | Out-of-bounds Write (CWE-787) in PubSub+JSON configurations |
| Fix | Upgrade to stable release v1.5.0 |
February 3, 2026 (4 advisories)
Synectix LAN 232 TRIO – MAXIMUM SEVERITY (ICSA-26-034-04)
| Field | Details |
|---|---|
| CVE | CVE-2026-1633 |
| CVSS | 10.0 CRITICAL (maximum) |
| Vulnerability | Missing Authentication for Critical Function (CWE-306) |
| Impact | Web management interface has no authentication – allows modification of critical settings or factory reset |
| Affected | All versions of this serial-to-Ethernet adapter |
| Status | No fix will ever be available – Synectix is no longer in business; product is end-of-life |
| Sectors | Critical Manufacturing, Emergency Services, Energy, IT, Transportation, Water/Wastewater |
Avation Light Engine Pro (ICSA-26-034-02)
| Field | Details |
|---|---|
| CVE | CVE-2026-1341 |
| CVSS | 9.8 CRITICAL |
| Vulnerability | Missing Authentication for Critical Function (CWE-306) – complete device takeover |
| Status | Vendor has not responded to CISA coordination; no patch available |
RISS SRL MOMA Seismic Station (ICSA-26-034-03)
| Field | Details |
|---|---|
| CVE | CVE-2026-1632 |
| CVSS | 9.1 CRITICAL |
| Vulnerability | Missing Authentication (CWE-306) – unauthenticated config modification or device reset |
| Sectors | Critical Manufacturing, Dams, Energy, Water/Wastewater, Transportation |
| Status | Vendor did not respond to CISA coordination |
Mitsubishi Electric FREQSHIP-mini for Windows (ICSA-26-034-01)
| Field | Details |
|---|---|
| CVE | CVE-2025-10314 |
| CVSS | 8.8 HIGH |
| Vulnerability | Incorrect Default Permissions (CWE-276) – local privilege escalation via DLL replacement |
| Fix | Update to version 8.1.0 or later |
January 29, 2026 (3 advisories – updated from prior week)
KiloView Encoder Series (ICSA-26-029-01, Updated February 5)
| Field | Details |
|---|---|
| CVE | CVE-2026-1453 |
| CVSS | 9.8 CRITICAL |
| Vulnerability | Missing Authentication – unauthenticated admin account creation/deletion |
| Affected | Multiple encoder models (E1, E2, G1, P1, P2, RE1 series) |
| Status | End-of-life hardware; no patch available. Upgrade to newer hardware. |
Rockwell Automation ArmorStart LT (ICSA-26-029-02)
| Field | Details |
|---|---|
| CVEs | 9 CVEs (CVE-2025-9464 through CVE-2025-9283) |
| CVSS | 7.5 HIGH (all nine) |
| Vulnerability | Uncontrolled Resource Consumption (CWE-400) – DoS via network fuzzing |
| Status | No patches currently available |
Rockwell Automation ControlLogix (ICSA-26-029-03)
| Field | Details |
|---|---|
| CVE | CVE-2025-14027 |
| CVSS | 7.5 HIGH |
| Vulnerability | Memory leak (CWE-401) – DoS via crafted Class 3 messages |
| Mitigation | Upgrade from 1756-RM2 to 1756-RM3 |
CISA Known Exploited Vulnerabilities (KEV) Additions
| Date | CVE | Product | Type |
|---|---|---|---|
| Jan 29 | CVE-2026-1281 | Ivanti EPMM | Code injection |
| Feb 3 | CVE-2019-19006 | Sangoma FreePBX | Improper authentication |
| Feb 3 | CVE-2021-39935 | GitLab CE/EE | SSRF |
| Feb 3 | CVE-2025-40551 | SolarWinds Web Help Desk | Deserialization |
| Feb 3 | CVE-2025-64328 | Sangoma FreePBX | OS command injection |
| Feb 5 | CVE-2025-11953 | React Native Community CLI | OS command injection |
| Feb 5 | CVE-2026-24423 | SmarterTools SmarterMail | Missing authentication |
Critical Telnet Vulnerability Affecting ICS Environments
CVE-2026-24061 – GNU InetUtils telnetd Authentication Bypass
- CVSS: 9.8 CRITICAL
- Impact: Unauthenticated remote attacker can bypass login and obtain root shell
- Scope: Approximately 800,000 devices globally exposed; Telnet remains prevalent in ICS/OT environments
- Exploitation: Active since January 22, 2026; added to CISA KEV
- Mitigation: Patch immediately or restrict Telnet port access; best practice is to disable telnetd entirely
Automotive CPS Security
PerfektBlue Bluetooth RCE – Unpatched in Many Vehicles
While originally disclosed in mid-2025, the PerfektBlue Bluetooth vulnerability chain remains critically relevant as several automakers had still not deployed firmware patches as of early February 2026.
Vulnerability Details (OpenSynergy BlueSDK):
| CVE | Severity | Description |
|---|---|---|
| CVE-2024-45434 | High | Use-after-free in AVRCP service |
| CVE-2024-45431 | Low | Improper validation of L2CAP channel |
| CVE-2024-45433 | Medium | Incorrect function termination in RFCOMM |
| CVE-2024-45432 | Medium | Incorrect parameter in RFCOMM |
- Scale: 350 million cars and 1 billion devices affected
- Attack: Chainable into a 1-click over-the-air RCE (within ~5-7m Bluetooth range)
- Demonstrated on: Volkswagen ID.4, Mercedes-Benz (NTG6), Skoda Superb (MIB3), plus a fourth unnamed OEM
- Risk: From compromised infotainment, attacker can track vehicle location, record in-cabin audio, access phonebook, and potentially control steering, horn, and wipers
- Status: OpenSynergy released patches September 2024, but some manufacturers delayed corrective firmware until June 2026
Regulatory: US Connected Vehicle Ban Takes Effect
The US Department of Commerce’s finalized rule banning connected vehicle software and hardware from China and Russia continues to shape the industry:
- Software restrictions: Take effect for model year 2027
- Hardware restrictions: Take effect for model year 2030
- Scope: Covers VCS (Bluetooth, cellular, satellite, Wi-Fi) and Automated Driving Systems
- Note: Currently applies to passenger vehicles only; commercial vehicle rule forthcoming
AUTOCRYPT Automotive-CIS Standard
Announced at CES 2026, the new Automotive Cybersecurity Infrastructure Standard (Automotive-CIS) establishes an integrated security architecture spanning the entire vehicle software lifecycle from development through maintenance.
Medical Device CPS Security
FDA Reissues Cybersecurity Guidance Aligned with QMSR (February 3, 2026)
The FDA published updated final guidance titled “Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions”, replacing the June 2025 edition. This aligns with the Quality Management System Regulation (QMSR) that took effect February 2, 2026.
Key requirements:
- SBOM mandate: Machine-readable format (SPDX or CycloneDX preferred) listing all commercial, open-source, and off-the-shelf components
- Secure Product Development Framework (SPDF): Recommended for systematic cybersecurity risk management throughout the product lifecycle
- Section 524B compliance: Security controls, vulnerability management, and SBOM maintenance required
- Enforcement shift: Moving from pre-market paperwork review to auditing real-world post-market security processes
HHS OIG Audit: Hospital Web Application Vulnerabilities (February 5, 2026)
The HHS Office of Inspector General released an audit of a large southeastern US hospital (300+ beds) finding:
- No MFA on an account management web application – OIG used phishing-captured credentials to gain access
- No WAF or input validation on internet-facing web applications
- Hospital concurred with all four recommendations and deployed WAFs and defense-in-depth measures
WHILL Wheelchair Bluetooth Takeover (ICSMA-25-364-01)
- CVE: CVE-2025-14346
- CVSS: 9.8 CRITICAL
- Affected: WHILL Model C2 Electric Wheelchairs and Model F Power Chairs
- Vulnerability: No authentication enforcement for Bluetooth connections – attacker within range can issue movement commands, override speed restrictions, and manipulate configuration
- Fix: WHILL released firmware updates
Healthcare Ransomware Activity
AZ Monica Hospital, Belgium (January 13, still recovering through February):
- 70+ surgeries canceled, 7 critical care patients transferred
- Emergency services shut down across two campuses
- Staff unable to access digital medical records
Epworth HealthCare, Australia – Fake ransomware extortion:
- 0APT group (emerged January 28, 2026) claimed 920 GB exfiltrated
- Investigation found no verified evidence of system or data impact
- 0APT assessed as a fake ransomware group using empty shell files for extortion
Health-ISAC 2026 Threat Landscape Report
- 455 ransomware incidents targeting health organizations globally in 2025 (55% surge)
- Most active groups against healthcare: Qilin, INC Ransom, SAFEPAY
- New social engineering techniques: QR code phishing (“quishing”), ClickFix, FileFix
Water & Wastewater Sector
US Senate Hearing on Water System Cyber Threats (February 4, 2026)
The Senate Environment and Public Works Committee held a hearing examining cybersecurity threats to US water systems:
- Since 2023, Russian, Iranian, and Chinese hackers have attacked municipal water systems in Texas, Pennsylvania, and Massachusetts
- Nearly 170,000 water systems nationwide, most increasingly vulnerable as they modernize
- Fewer than 25% of utilities conduct annual cyber risk assessments
- Small and rural water systems acutely vulnerable, lacking basic digital defenses
- Attackers can manipulate OT to alter chemical treatment levels
Romania National Water Agency (Ongoing Remediation)
Still being remediated from the December 20, 2025 attack:
- ~1,000 systems compromised across 10 of 11 regional organizations
- Attackers used Windows BitLocker as the encryption mechanism
- OT (dams, flood defenses) was unaffected – IT systems bore the brunt
- Staff communicating via telephone and radio
Energy & Power Grid
Conpet Oil Pipeline Operator – Qilin Ransomware (February 3-5, 2026)
The most significant new energy sector incident this week:
- Victim: Conpet S.A., Romania’s national oil pipeline operator (~4,000 km of pipeline)
- Disclosed: February 3, 2026
- Attacker: Qilin ransomware group claimed nearly 1 TB of data including financial records and passport scans
- Initial access: An infostealer infection on a Conpet IT employee’s computer (January 11, 2026) leaked VPN, Cacti monitoring, and WSUS credentials
- OT impact: SCADA and telecommunications systems were not affected – oil transport continued normally
- Response: Investigation with national cybersecurity authorities; criminal complaint filed with DIICOT
Poland Power Grid Attack – Continued Analysis
CERT Polska’s detailed report (January 30) and ESET’s attribution analysis continued generating coverage this week. Key updates:
- ESET attributed the December 29, 2025 attack with medium confidence to Sandworm (APT44)
- Help Net Security published a deep dive (February 6) on how internet-exposed FortiGate VPNs with default credentials and no MFA enabled the attack
- Amazon Threat Intelligence documented Sandworm’s pivot toward misconfigured edge devices as primary initial access vectors
Cyfirma Q1 2026 Energy & Utilities Threat Report
- 72 verified ransomware victims in energy/utilities over 90 days (63.6% increase)
- Energy organizations featured in 6 of 14 APT campaigns (43%), up from 2 of 15
- Obscura and Direwolf ransomware groups showed particular focus on energy sector
- Oil, gas, and fuels were the most frequent ransomware targets
Direwolf Ransomware – Energy Sector Targeting (January 2026)
- Perdana Petroleum Berhad (Malaysia): ~150 GB of financial/supplier data stolen
- TEPCO Group (Japan): 300 GB allegedly exfiltrated including design drawings and audit documents
Manufacturing & Industrial
Fortinet 2025 State of OT and Cybersecurity Report (February 4, 2026)
- Manufacturing remains the most targeted sector – approximately a quarter of all global incidents
- 52% of organizations now have CISOs/CSOs directly responsible for OT security (up from 16% in 2022)
- Ransomware-as-a-Service (RaaS) model expanding into OT environments
- Threat actors increasingly deploying wiper malware (Ekans, Industroyer2) alongside ransomware
Rockwell Automation State of Smart Manufacturing (February 3, 2026)
- 96% of manufacturers have already or plan to invest in cybersecurity platforms
- 25% cite limited cybersecurity awareness among senior decision-makers as a leadership obstacle
- Six forces pushing OT cybersecurity to the core: universal platform adoption, board-level risk scrutiny, secure-by-design hardware, cyber-literate workforce
Forescout 2025 Threat Roundup (January 29, 2026)
- 84% increase in attacks using OT protocols year-over-year
- Top targeted protocols: Modbus (57%), Ethernet/IP (22%), BACnet (8%)
- Discovery activity now accounts for 91% of post-exploitation actions (up from 25% in 2023)
Iconics Suite / Mitsubishi Electric GENESIS64 SCADA Vulnerability
- CVE: CVE-2025-0921 (CVSS 6.5)
- Vulnerability: Execution with unnecessary privileges in AlarmWorX64 MMX Pager Agent
- Impact: Privilege escalation, corruption of critical system binaries, DoS
- Sectors affected: Automotive, energy, manufacturing
- Note: MC Works64 fix NOT planned – mitigations only
Siemens ICS Patch Tuesday (February 2026)
- Critical: Authorization bypass in Industrial Edge Devices – unauthenticated remote user can impersonate any user
- High-severity: Ruggedcom ROX products (arbitrary code execution, DoS, MitM), ET 200SP, TeleControl Server Basic
- Siemens issued a security bulletin urging ICS customers to take protective steps amid geopolitical threats
Threat Intelligence Highlights
TGR-STA-1030 – Major Chinese Espionage Campaign (Disclosed February 5, 2026)
Palo Alto Networks Unit 42 disclosed a state-aligned espionage group that compromised 70 government and critical infrastructure organizations across 37 countries:
- Attribution: High confidence – China-linked, based on GMT+8 operational hours and regional tooling
- Targets: National law enforcement, finance ministries, economic/trade/natural resources departments
- Reconnaissance: Active scanning of government infrastructure in 155 countries (Nov-Dec 2025)
- Novel malware: ShadowGuard – a previously undocumented Linux kernel rootkit using Extended Berkeley Packet Filter (eBPF) that operates entirely within kernel space
- C2 framework: Transitioned from Cobalt Strike to VShell (Go-based)
- Status: Remains active
Dragos OT Threat Groups – Two New Additions
Dragos’s 8th Annual OT Cybersecurity Year in Review now tracks 23 ICS/OT threat groups (up from 20):
BAUXITE (overlaps with CyberAv3ngers, pro-Iranian):
- Targets: Oil & gas, chemical sectors (US, Europe, Middle East)
- Capabilities: Stage 2 ICS Cyber Kill Chain – can compromise PLCs, deploy custom OT backdoors
GRAPHITE (overlaps with APT28/Russia):
- Targets: Hydroelectric generation and natural gas pipeline operators in Eastern Europe
- TTPs: Spear-phishing aligned with state-backed geopolitical objectives
Qilin Ransomware Surge
Qilin has become the most prolific ransomware gang, targeting 1,000+ organizations in 2025 and 48+ in January 2026 alone. Notable CPS-relevant victims this week/month:
- Conpet S.A. (Romania oil pipeline operator) – ~1 TB claimed
- Tulsa International Airport – executive emails, employee IDs, financial records posted
- Moen (US plumbing manufacturer, ~$1B revenue) – data exfiltration claimed
- Muscatine Power and Water (Iowa) – 36,955 people affected (OT systems unaffected)
Google Cybersecurity Forecast 2026 – ICS/OT Outlook
- Ransomware operations will be specifically designed to impact ERP systems, disrupting the data supply chain essential for OT operations
- Russia expected to shift from tactical Ukraine-focused operations to long-term global strategic goals
- China cyber volume to continue surpassing all other nations
- More than one-third of global energy and utilities infrastructure will have experienced cyber pre-positioning by 2026
Defensive Recommendations
Immediate Actions
For ICS/OT Operators:
- Inventory and remove Synectix LAN 232 TRIO devices – CVSS 10.0, no fix ever possible (vendor defunct)
- Patch Mitsubishi MELSEC iQ-R controllers to firmware v49+ (CVSS 9.4)
- Update Ilevia EVE X1 building automation servers – 5 critical RCE vulnerabilities
- Disable GNU InetUtils telnetd or restrict port access – active exploitation ongoing (CVE-2026-24061)
- Audit Modbus, Ethernet/IP, and BACnet exposure – 84% increase in OT protocol attacks
For Energy Sector:
- Review FortiGate VPN configurations – Poland attack exploited default credentials with no MFA
- Audit all internet-exposed edge devices – Sandworm pivoting to misconfigured network equipment
- Check for infostealer-compromised credentials – Conpet breach began with credential theft
- Apply Hitachi Energy FOX61x/XMC20 RADIUS patches and enable Message-Authenticator
For Healthcare Organizations:
- Comply with FDA QMSR requirements (effective February 2, 2026) – maintain SBOMs, implement SPDF
- Deploy MFA on all web-accessible applications – HHS OIG audit found phishing access without MFA
- Update WHILL wheelchair firmware – CVE-2025-14346 allows Bluetooth takeover (CVSS 9.8)
- Review Qilin ransomware IOCs – most active group targeting healthcare
For Automotive Sector:
- Track PerfektBlue Bluetooth patches from vehicle OEMs – 350M cars affected, some still unpatched
- Prepare for US connected vehicle ban compliance – software restrictions effective model year 2027
- Monitor Pwn2Own Automotive 2026 vendor patches – 76 zero-days in 90-day disclosure window
Strategic Priorities
- Eliminate default credentials – root cause of both the Poland energy attack and multiple CISA advisories
- Enforce MFA on all remote access – the single highest-impact defensive measure
- Address end-of-life products – 4 of 13 advisories this week had no vendor patches available
- Monitor infostealer exposure – the Conpet attack demonstrates how credential theft enables ransomware
- Implement OT network segmentation – 84% increase in OT protocol targeting demands isolation
Sources Referenced
CISA ICS Advisories:
- CISA ICS Advisories Index
- ICSA-26-036-02 – Mitsubishi Electric MELSEC iQ-R
- ICSA-26-036-04 – Ilevia EVE X1 Server
- ICSA-26-034-04 – Synectix LAN 232 TRIO
- ICSA-26-029-01 – KiloView Encoder Series
- ICSA-26-029-02 – Rockwell Automation ArmorStart LT
- ICSA-26-029-03 – Rockwell Automation ControlLogix
- ICSMA-25-364-01 – WHILL Wheelchair Bluetooth
Vendor & Industry Reports:
- Forescout 2025 Threat Roundup
- Dragos 8th Annual OT Cybersecurity Year in Review
- Fortinet 2025 State of OT and Cybersecurity
- Rockwell Automation State of Smart Manufacturing
- Cyfirma Energy & Utilities Q1 2026 Report
- Health-ISAC 2026 Threat Landscape
- Google Cybersecurity Forecast 2026
Incident Reporting:
- The Record – Romania Conpet oil pipeline ransomware
- BleepingComputer – Conpet Qilin ransomware
- InfoStealers – How infostealer enabled Conpet attack
- The Record – Belgium AZ Monica hospital ransomware
- ESET Research – Sandworm Poland power grid
- Help Net Security – Poland energy breach analysis (Feb 6)
- Cybernews – Tulsa Airport Qilin ransomware
Threat Intelligence:
- Unit 42 – Shadow Campaigns: TGR-STA-1030
- SecurityWeek – TGR-STA-1030 hacked 37 countries
- Cisco Talos – UAT-8837 targets critical infrastructure
- Dark Reading – PerfektBlue Bluetooth RCE
- BleepingComputer – GNU telnetd auth bypass exploitation
Regulatory & Government:
- FDA Cybersecurity Guidance (RAPS)
- HHS OIG Hospital Audit Report
- US Senate EPW – Water system cyber threats hearing (Feb 4)
- SecurityWeek – ICS Patch Tuesday
Note: Week 06 saw a concerning trend of ICS products with no available fix – 4 of 13 CISA advisories involved products that are end-of-life, from defunct vendors, or have unresponsive manufacturers. The Conpet pipeline attack demonstrated the growing infostealer-to-ransomware pipeline, where initial credential theft via commodity malware enables targeted ransomware operations weeks later. Organizations should actively monitor for credential exposure through infostealer logs and immediately rotate compromised credentials.