Executive Summary

This week was defined by CISA Emergency Directive 26-03, issued February 25 in response to a Cisco SD-WAN zero-day (CVE-2026-20127, CVSS 10.0) that has been actively exploited since 2023 to compromise critical infrastructure networks. CISA also published 13 ICS advisories across two batches, headlined by a coordinated disclosure of critical authentication bypass vulnerabilities in six EV charging platform vendors’ OCPP WebSocket implementations and a devastating 23-vulnerability advisory for Copeland XWEB refrigeration controllers including a CVSS 10.0 pre-authentication code execution flaw. The S4x26 conference in Miami introduced the OTI Impact Score—a “Richter Scale” for measuring OT cyber incidents—and saw NVIDIA announce partnerships with Forescout, Palo Alto Networks, and Siemens to bring AI-driven threat detection to industrial environments, while Palo Alto Networks and Siemens published research revealing a 138% increase in OT devices exposed to the internet.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of February 20 - February 27, 2026

Critical Alerts & Advisories

Emergency Directive 26-03: Cisco SD-WAN Zero-Day

The most urgent development this week was CISA’s Emergency Directive 26-03, issued February 25, addressing two Cisco SD-WAN vulnerabilities being actively exploited in the wild. The primary flaw, CVE-2026-20127, is an authentication bypass in Cisco Catalyst SD-WAN Controller and Manager that carries a perfect CVSS 10.0 score. Attackers—tracked as UAT-8616 by Cisco Talos—have been exploiting this vulnerability since at least 2023, gaining unauthenticated remote access with administrative privileges and then chaining it with CVE-2022-20775, a path traversal issue, to escalate to root and establish persistent footholds. CISA described the situation as posing an “imminent threat to federal networks” and ordered all federal agencies to inventory their SD-WAN systems by February 26 and apply patches by 5:00 PM ET on February 27. A joint hunt and hardening guide was released by CISA, the NSA, the UK NCSC, Australia’s ACSC, and other Five Eyes partners. Although SD-WAN is primarily an IT networking technology, its deployment across critical infrastructure sectors—including telecommunications, energy, water, and transportation—means this vulnerability directly affects the network fabric that carries SCADA telemetry and industrial control traffic.

CISA ICS Advisories: February 24 Batch

CISA published three ICS advisories on February 24. The InSAT MasterSCADA BUK-TS advisory (ICSA-26-055-01) disclosed two critical-severity vulnerabilities—CVE-2026-21410 (SQL injection, CVSS 9.8) and CVE-2026-22553 (OS command injection, CVSS 9.8)—in a SCADA platform deployed across critical manufacturing, energy, and water/wastewater sectors worldwide. Both vulnerabilities allow remote code execution through the system’s web interface, and InSAT has not responded to CISA’s coordination requests, leaving operators without vendor guidance or patches.

Schneider Electric’s EcoStruxure Building Operation received an advisory (ICSA-26-055-02) covering two high-severity vulnerabilities in the Workstation and WebStation products. CVE-2026-1227 (CVSS 7.3) is an XML External Entity injection that enables unauthorized file disclosure and denial-of-service, while CVE-2026-1226 (CVSS 7.3) permits code injection through malicious TGML graphics files. EcoStruxure Building Operation is deployed across commercial facilities, energy, healthcare, transportation, government, and defense sectors, and Schneider Electric has released patches through its MySchneider portal for versions 7.0.x and 6.x.

The Gardyn Home Kit advisory (ICSA-26-055-03) disclosed four vulnerabilities in a consumer IoT indoor gardening system, including CVE-2025-29631 (OS command injection, CVSS 9.1) and CVE-2025-1242 (hardcoded credentials, CVSS 9.1). While a consumer product in the food and agriculture sector, the advisory illustrates how IoT devices with critical authentication failures continue to reach market. The vendor has released patches for firmware, mobile app, and cloud API components.

CISA ICS Advisories: February 26 Batch

CISA issued ten ICS advisories on February 26—its largest single-day release in recent weeks, despite the ongoing DHS shutdown. The most severe was the Copeland XWEB advisory (ICSA-26-057-10), which disclosed 23 vulnerabilities in the XWEB 300D PRO, 500D PRO, and 500B PRO refrigeration monitoring and control systems, discovered by Claroty Team82. The headline vulnerability, CVE-2026-21718, carries a perfect CVSS 10.0 score and allows pre-authentication remote code execution through an authentication bypass. CVE-2026-24663 (CVSS 9.0) adds unauthenticated OS command injection, and the remaining 21 vulnerabilities span stack-based buffer overflows, additional command injection variants, path traversal for arbitrary file reads, and authentication bypass via unexpected return values. Copeland XWEB controllers manage commercial refrigeration systems in supermarkets, cold storage facilities, pharmaceutical cold chains, and food processing plants—environments where compromise could disrupt temperature-critical processes with food safety and public health implications.

Johnson Controls Frick Controls Quantum HD (ICSA-26-057-01) received an advisory disclosing six vulnerabilities in industrial refrigeration compressor controllers, including four critical-severity issues: CVE-2026-21654 (OS command injection, CVSS 9.1) and three code injection flaws (CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, all CVSS 9.1) that enable pre-authentication remote code execution. The Quantum HD controllers manage industrial refrigeration compressors in food and agriculture environments, and versions 10.22 through 11 are legacy end-of-support products. Johnson Controls recommends upgrading to Quantum HD Unity version 12 or higher.

Pelco’s Sarix Pro 3 Series IP cameras (ICSA-26-057-02) received an advisory for CVE-2026-1241 (CVSS 7.5), an authentication bypass that allows unauthorized access to live video feeds without proper credentials. These cameras are deployed across commercial facilities, defense, energy, government, healthcare, and transportation—sectors where unauthorized surveillance access carries both security and privacy implications.

The Yokogawa CENTUM VP advisory (ICSA-26-057-09) disclosed six vulnerabilities in the Vnet/IP Interface Package for CENTUM VP R6 and R7 distributed control systems. CVE-2025-1924 (out-of-bounds write, CVSS 6.9) could enable arbitrary code execution, while the remaining five medium-severity flaws (reachable assertions, integer underflow, and improper length handling) could terminate software stack processes and cause denial-of-service. Yokogawa CENTUM VP is one of the world’s most widely deployed DCS platforms in manufacturing, energy, and food/agriculture, and the vendor has released patch version R1.08.00.

EV Charging Infrastructure: Coordinated Disclosure Across Six Vendors

The most thematically significant disclosure of the week was CISA’s coordinated release of five ICS advisories (ICSA-26-057-03 through ICSA-26-057-08) covering six EV charging platform vendors: CloudCharge (Sweden), EV2GO (UK), Chargemap (France), SWITCH EV, EV Energy (UK), and Mobility46 (Sweden). All six share identical vulnerability patterns in their OCPP (Open Charge Point Protocol) WebSocket implementations—missing authentication for critical functions (CVSS 9.4), improper restriction of excessive authentication attempts (CVSS 7.5), insufficient session expiration (CVSS 7.3), and insufficiently protected credentials (CVSS 6.5). The common attack scenario allows adversaries to impersonate charging stations, hijack active sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data flowing to backend energy management systems. Authentication credentials are publicly accessible via web-based mapping platforms. None of the six vendors responded to CISA’s coordination requests, and the advisories affect both the energy and transportation systems sectors. This coordinated disclosure underscores a systemic weakness in the EV charging ecosystem’s implementation of the OCPP standard—a protocol that was designed for interoperability but whose WebSocket transport layer is being deployed without basic authentication controls across multiple independent vendors.

Automotive CPS Security

Tesla Model 3 and Cybertruck Wireless Vulnerabilities

Northeastern University researchers published findings on February 18 (with continued coverage this week) demonstrating wireless connectivity vulnerabilities in Tesla’s 2024 Model 3 and Cybertruck. Using IMSI-catching techniques with fake cellular base stations, attackers can intercept a vehicle’s International Mobile Subscriber Identity to enable real-time tracking, prevent internet connectivity, force the vehicle into less secure communication modes, and intercept data traffic. Additional vulnerabilities in SMS and emergency service handling allow attackers to spam messages, issue fake alerts, and trigger denial-of-service conditions. Tesla acknowledged that the weaknesses originate in cellular modem stacks supplied by Qualcomm and Quectel—meaning the vulnerabilities likely extend to most modern connected vehicles using these widely adopted modem chipsets. The researchers recommend industry-wide adoption of 5G with stronger identity protections and elimination of insecure 2G/3G fallback modes.

VicOne 2026 Automotive Cybersecurity Report

VicOne’s 2026 report, published during this period, documented a tripling of automotive cyber incidents in 2025 to 610 recorded cases, with cross-region, multi-business incidents more than tripling to 161 cases. The report finds that 33% of observed cyber risk now directly impacts driver-facing systems and characterizes the current era as the “Overlap Era”—where legacy vehicle platforms coexist with software-defined vehicles, cloud-connected ecosystems, and AI-enabled features while cybersecurity governance remains fragmented across manufacturers, suppliers, and aftermarket providers.

Medical Device CPS Security

UFP Technologies Ransomware Attack

UFP Technologies, a publicly traded manufacturer of single-use medical devices and components for aerospace, automotive, healthcare, and defense based in Newburyport, Massachusetts, disclosed a ransomware attack detected on February 14 that continued to affect operations into this reporting period. The company described it as “a classic ransomware attack” in which attackers compromised IT systems including billing and label-making for customer deliveries, and confirmed that data was exfiltrated from compromised systems—though the extent and whether personal health information was involved remains unclear. The company filed with the SEC, isolated affected systems, engaged three external cybersecurity firms, and deployed backup systems. No threat group has claimed responsibility. The incident demonstrates how ransomware targeting medical device manufacturers can disrupt the supply chain for hospitals and healthcare providers even without directly compromising the devices themselves.

WHILL Wheelchair Bluetooth Vulnerability

CISA’s medical advisory ICSMA-25-364-01, initially published in late December 2025 and continuing to receive attention, disclosed CVE-2025-14346 (CVSS 9.8) in WHILL Model C2 Electric Wheelchairs and Model F Power Chairs. A missing authentication vulnerability in Bluetooth connections allows an attacker within approximately 30 feet to pair without credentials and issue movement commands, override speed restrictions, and manipulate configuration profiles—posing a direct physical safety threat to wheelchair occupants. WHILL deployed firmware mitigations on December 29, 2025, but the advisory’s continued relevance highlights the intersection of mobility device cybersecurity and patient safety.

Water & Wastewater Sector

InSAT MasterSCADA: Direct Water Sector Exposure

The InSAT MasterSCADA BUK-TS vulnerabilities disclosed this week (ICSA-26-055-01) explicitly list water and wastewater systems among the affected sectors. The two CVSS 9.8 vulnerabilities enabling remote code execution through SQL injection and OS command injection affect all versions of the platform, and with the Russian vendor unresponsive to CISA’s coordination, water utilities running MasterSCADA BUK-TS have no vendor-supported remediation path. This situation mirrors the Welker OdorEyes disclosure from week 08—another critical infrastructure product with critical vulnerabilities and a non-responsive vendor. Water utilities should immediately inventory any MasterSCADA deployments and apply network isolation as the primary defensive measure.

Volt Typhoon Persistence in Water Utilities

The Dragos 2026 report’s findings about VOLTZITE (Volt Typhoon) remaining embedded in U.S. water utilities, reported last week, continued to generate analysis and concern during this period. The newly identified SYLVANITE threat group’s role as an initial access broker—exploiting vulnerabilities in Ivanti, F5, and SAP products to hand off established footholds to VOLTZITE—represents a coordinated two-stage intrusion pipeline specifically observed at U.S. water utilities during incident response engagements. This ongoing threat underscores the urgency of the defensive recommendations from the Senate water cybersecurity hearing, where nearly 70% of inspected water utilities were found in violation of basic cybersecurity standards.

Energy & Power Grid

Poland Energy Grid Attack: New Investigation Details

A Balkan Insight investigative report published on February 26 provided significant new details about the December 29, 2025 cyberattack on the Polish energy grid. The investigation revealed that reconnaissance traced back to March 2025—nine months of preparation before the destructive phase. Attackers uploaded corrupted firmware to controllers, forcing devices into endless restart cycles, and default ICS credentials served as the primary entry point. CVE-2024-2617, which allowed unsigned firmware updates even when security features were enabled, was a key enabler. Attribution remains contested: ESET attributes the attack to Sandworm/GRU, Dragos tracks the activity as ELECTRUM, and Balkan Insight investigators traced connections to Berserk Bear/FSB. Regardless of attribution, the attack—which targeted approximately 30 distributed energy resource sites including wind farms, solar installations, and a CHP plant serving nearly 500,000 customers—represents the first major coordinated cyberattack targeting distributed energy resources at scale.

Palo Alto Networks / Siemens / INL: OT Internet Exposure Surges

Research published February 27 by Palo Alto Networks Unit 42 in partnership with Siemens and Idaho National Laboratory documented a dramatic increase in OT device internet exposure. The study identified over 110 million observations of OT devices exposed to the internet in 2024—a 138% increase over 2023—with 19.6 million unique OT devices fingerprinted across 1.77 million IPv4 addresses, representing a 332% increase. Over 70% of OT attacks originate in IT environments before reaching industrial assets, with an average dwell time of 185 days in the precursor phase. The research found that 48% of attacks target older legacy vulnerabilities, and common exposure points include standard web ports alongside OT-specific protocols on TCP 5011, TCP 502 (Modbus), and UDP 47808 (BACnet).

UL Solutions DER Cybersecurity Certification

UL Solutions announced on February 17 the first industry-wide cybersecurity certification baseline for distributed energy resources, based on the UL 2941 standard. The certification evaluates access control, cryptography, and policy practices for DER equipment including inverters, microgrids, battery energy storage systems, hydrogen systems, and EV charging infrastructure. This development is particularly timely given the Poland DER attack and the week’s EV charging platform disclosures.

Manufacturing & Industrial

S4x26 Conference: OTI Impact Score and AI Partnerships

The S4x26 conference (February 23–26, Miami) produced several significant developments for the industrial cybersecurity community. The most notable was the unveiling of the OTI Impact Score—an “Operational Technology Incident Impact Score” modeled after the Richter Scale that translates complex OT disruptions into a 0.0–10.0 score based on severity, reach, and duration. An alpha version is available and aims to issue crowdsourced assessments within 12 hours of an incident, providing a standardized language for communicating the real-world impact of OT cyber events.

NVIDIA announced partnerships with Akamai, Forescout, Palo Alto Networks, Siemens, and Xage Security to bring AI-powered cybersecurity to critical infrastructure. The architecture deploys NVIDIA BlueField DPUs at the edge for real-time threat detection, with centralized AI factories analyzing OT data across multiple sites. Xage demonstrated zero trust enforcement on BlueField hardware, and Siemens showcased its AI-ready Industrial Automation DataCenter. The conference theme “Connect” emphasized that AI agents and MCP servers are creating new connections between OT systems, enterprise platforms, and analytics tools—connections that simultaneously enable better security visibility and introduce new attack surfaces.

Copeland XWEB: Commercial Refrigeration at Risk

The Copeland XWEB advisory (ICSA-26-057-10) warrants special attention from the manufacturing perspective. These controllers manage commercial refrigeration in supermarkets, cold storage warehouses, pharmaceutical distribution centers, and food processing facilities. The 23 vulnerabilities discovered by Claroty Team82, including the CVSS 10.0 authentication bypass, expose temperature-controlled supply chains to potential disruption. A successful attack could manipulate temperature setpoints, disable alarms, or cause equipment damage—with consequences ranging from spoiled inventory to compromised pharmaceutical efficacy. The sheer volume of vulnerabilities (23 in a single product) suggests fundamental security architecture weaknesses rather than isolated coding errors.

Threat Intelligence Highlights

Recorded Future 2026 State of Security Report

Recorded Future’s annual report, published February 13 with continued analysis this week, warned that cyber operations have become inseparable from physical conflict, coercion, and espionage. Nation-states increasingly favor quiet pre-positioning, credential theft, and identity access for continuous leverage rather than dramatic one-time attacks. States prefer brief, reversible disruptions to cables, satellites, and telecom infrastructure to signal power while staying below escalation thresholds. The report identifies geopolitical fragmentation and AI adoption as creating persistent instability, with cyber capabilities becoming a standard tool of statecraft applied across the spectrum from espionage to sabotage.

Forescout: ICS Vulnerability Records

Forescout’s ICS vulnerability analysis, published during this period, documented that 2025 set records with 508 CISA ICS advisories covering 2,155 CVEs—the first year exceeding 500 advisories. The cumulative total since 2010 now stands at 3,637 advisories covering 12,174 vulnerabilities across 2,783 products from 689 vendors. A critical visibility gap emerged: only 22% of ICS vulnerabilities had CISA ICSA coverage in 2025, down sharply from 58% in 2024, with 134 vendors having vulnerabilities without any CISA advisory. The average CVSS score climbed to 8.07 with 82% classified as high or critical, and attacks using OT protocols surged 84%, led by Modbus, Ethernet/IP, and BACnet.

“Living-off-the-Plant” OT Attack Techniques

Dark Reading published a significant analysis (initially February 10, with continued discussion at S4x26) about “living-off-the-plant” attacks—the OT equivalent of IT’s “living-off-the-land” techniques. Attackers who understand OT environments can conduct intrusions using legitimate engineering tools, HMIs, scripting capabilities, and native industrial protocols already present in the environment, making their activity far harder to detect than malware-based intrusions. These techniques were demonstrated at RSAC 2026 and represent a maturation of adversary tradecraft from deploying custom malware toward exploiting the inherent trust relationships built into industrial control architectures.

CISA Shutdown: Week Two

The DHS shutdown entered its second week with CISA still operating at approximately 38% capacity. Despite these constraints, the agency managed to issue Emergency Directive 26-03 and publish 13 ICS advisories, demonstrating that critical emergency response functions remain operational. However, proactive vulnerability scanning, security assessments, training exercises, and stakeholder engagements remain suspended—a gap that is particularly concerning as the volume of ICS vulnerabilities and active exploitation campaigns continues to accelerate.

Defensive Recommendations

Organizations should prioritize the Cisco SD-WAN Emergency Directive immediately: inventory all Cisco Catalyst SD-WAN Controller and Manager deployments, apply patches for CVE-2026-20127 and CVE-2022-20775, collect forensic artifacts from affected systems, and review logs for signs of compromise dating back to 2023. The joint Five Eyes hunt guide provides specific indicators of compromise and detection guidance.

For industrial refrigeration operators, the Copeland XWEB advisory demands urgent attention. Update XWEB 300D PRO, 500D PRO, and 500B PRO controllers to the latest version via the system update menu. Until patched, restrict network access to management interfaces and monitor for unauthorized authentication attempts, as CVE-2026-21718 enables pre-authentication exploitation.

Johnson Controls Frick Controls Quantum HD operators running versions 10.22 through 11 should plan migration to Quantum HD Unity version 12 or higher, as the legacy versions are end-of-support and carry four critical pre-authentication remote code execution vulnerabilities.

EV charging infrastructure operators should audit their OCPP implementations for WebSocket authentication controls. The systemic nature of the vulnerability pattern across six independent vendors suggests the issue may extend beyond those named in CISA’s advisories. Ensure that OCPP WebSocket endpoints require authentication, implement rate limiting on authentication attempts, enforce session expiration, and protect stored credentials.

InSAT MasterSCADA BUK-TS deployments in water, energy, or manufacturing environments should be immediately isolated from network access, as the CVSS 9.8 SQL injection and command injection flaws have no vendor patch and the vendor is unresponsive. Schneider Electric EcoStruxure Building Operation users should apply the patches available through MySchneider for versions 7.0.x (CP1) and 6.x (CP10). Yokogawa CENTUM VP operators should apply patch R1.08.00 for the Vnet/IP Interface Package. Pelco Sarix Pro 3 camera operators should update to firmware 02.53 or later.

Given the Palo Alto/Siemens/INL findings on the 138% increase in internet-exposed OT devices, organizations should conduct an immediate audit of OT device internet exposure, particularly on TCP 502 (Modbus), UDP 47808 (BACnet), and TCP 5011, in addition to standard web ports.

News Summary week 09, 2026