Executive Summary

The week’s most consequential event was the Iran-linked Handala group’s wiper attack on Stryker Corporation, one of the world’s largest medical device manufacturers, which reportedly wiped over 200,000 systems across 79 countries by weaponizing Stryker’s own Microsoft Intune endpoint management platform. CISA published ten ICS advisories across its March Patch Tuesday releases, headlined by a maximum-severity CVSS 10.0 vulnerability in Honeywell IQ4x building management controllers that ship without authentication in factory-default configuration—and for which no vendor patch exists. The Siemens SIMATIC S7-1500 PLC family, one of the most widely deployed PLCs in the world, received a critical stored XSS advisory (CVSS 9.6), while Schneider Electric patched high-severity flaws in EcoStruxure products that could enable full system compromise. Meanwhile, a ransomware attack on the Szczecin Regional Hospital in Poland forced the facility to revert to paper-based operations, with military personnel deployed to assist recovery—the latest in a wave of Russian-attributed cyberattacks against Polish critical infrastructure.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of March 6 – March 13, 2026

Critical Alerts & Advisories

CISA published ten ICS advisories across two release dates this week—four on March 10 and six on March 12—as part of the March 2026 ICS Patch Tuesday cycle, alongside a KEV catalog update on March 13.

The most urgent advisory was for the Honeywell IQ4x building management system controller (ICSA-26-069-03), which received a perfect CVSS 10.0 score for CVE-2026-3611, a missing-authentication vulnerability that exposes the controller’s full web-based HMI without any credentials in factory-default configuration. When no user module is configured, the system grants read/write privileges under a System Guest context, and the unprotected U.htm endpoint allows attackers to create administrative accounts—effectively locking legitimate operators out of both local and web-based management. Seven controller models are affected (IQ4E, IQ412, IQ422, IQ4NC, IQ41x, IQ3, IQECO) across firmware versions 3.50_3.44 through 4.36_build_4.3.7.9. Honeywell has not released a patch, making network isolation the only available mitigation for building automation environments relying on these controllers.

The Siemens SIMATIC S7-1500 advisory (ICSA-26-071-04) disclosed CVE-2025-40943, a stored cross-site scripting vulnerability scored at CVSS 9.6 that affects over 100 model variants of one of the world’s most ubiquitous PLC families. An attacker can inject code by tricking a legitimate user into importing a specially crafted trace file through the web interface. Siemens has released firmware version 4.1.2 and recommends disabling the webserver on ports 80/tcp and 443/tcp where it is not actively needed.

Siemens also addressed a critical authentication bypass in the RUGGEDCOM APE1808 with Fortinet FortiGate NGFW (ICSA-26-071-02). CVE-2026-24858 (CVSS 9.8) allows FortiCloud account holders to access other registered devices through an alternate authentication path—a particularly concerning flaw given RUGGEDCOM’s deployment across energy, critical manufacturing, and transportation infrastructure. Siemens advises updating the FortiGate NGFW component to version 7.4.11 or later.

The Lantronix EDS3000PS and EDS5000 serial device server advisory (ICSA-26-069-02) disclosed eight vulnerabilities, two of which—CVE-2025-67038 and CVE-2025-67039—carry CVSS 9.8 scores. The first enables unauthenticated arbitrary OS command execution as root through the HTTP RPC module, which concatenates the username directly into commands without sanitization. The second allows authentication bypass by appending a specific URL suffix. These serial device servers bridge legacy serial equipment to IP networks and are commonly found in manufacturing, utility, and transportation environments. Lantronix has released firmware updates for both product lines.

Siemens SIDIS Prime (ICSA-26-071-03), a rail and infrastructure diagnostic system, received an advisory covering 23 CVEs spanning multiple high-severity vulnerability categories including command injection, path traversal, prototype pollution, and flaws in embedded OpenSSL, SQLite, and Node.js components. Operators should update to SIDIS Prime V4.0.800 or later. Trane’s Tracer SC, SC+, and Concierge building automation controllers (ICSA-26-071-01) received an advisory for five vulnerabilities including CVE-2026-28252 (CVSS 8.1, broken cryptographic algorithm enabling root-level access) and CVE-2026-28255 (hard-coded credentials enabling account takeover). Trane has released version v6.30.2313 for the Tracer SC+ and implemented cloud security controls for credential issues.

Inductive Automation’s Ignition SCADA platform (ICSA-26-071-06) was flagged for CVE-2025-13913 (CVSS 6.3), a deserialization vulnerability that allows privileged users importing external files to trigger execution of embedded malicious code. The Siemens Heliox EV charger advisory (ICSA-26-071-05) disclosed CVE-2025-27769, a low-severity improper access control flaw in the Flex 180 kW and Mobile DC 40 kW stations that could allow attackers with physical access to reach unauthorized services through the charging cable. Ceragon/Siklu MultiHaul and EtherHaul wireless backhaul radios (ICSA-26-069-04) and Apeman ID71 cameras (ICSA-26-069-01) rounded out the week’s advisories, with the Apeman cameras carrying a CVSS 9.8 credential exposure vulnerability and no vendor response or patch.

Beyond CISA, the broader ICS Patch Tuesday saw Schneider Electric publish six advisories covering high-severity issues in EcoStruxure IT Data Center Expert (hardcoded credentials), EcoStruxure Power Monitoring Expert and Power Operation (local arbitrary code execution), and EcoStruxure Automation Expert (command execution enabling full system compromise). Moxa published four advisories, and Germany’s VDE-CERT issued advisories for Codesys (CVE-2026-2364, CVSS 7.3, TOCTOU privilege escalation), Janitza UMG 96RM-E power analyzers (unauthenticated remote code execution), and Weidmueller Energy Meter 750 series devices.

CISA made two KEV catalog updates during the week. On March 6, two CVSS 9.8 vulnerabilities with direct ICS relevance were added: CVE-2017-7921, a Hikvision improper authentication flaw that enables bypass of authentication and access to sensitive information on surveillance cameras—with SANS ISC having detected active exploit attempts against Hikvision cameras for over four months prior—and CVE-2021-22681, a Rockwell Automation insufficient protected credentials vulnerability affecting Studio 5000 Logix Designer, RSLogix 5000, and multiple Logix Controllers that allows unauthorized applications to connect by bypassing verification. Both carry a March 26 remediation deadline. On March 13, CISA added two additional actively exploited vulnerabilities: CVE-2026-3909 (Google Skia out-of-bounds write) and CVE-2026-3910 (Google Chromium V8 vulnerability).

Automotive CPS Security

An ELECQ ransomware attack on March 7 compromised the Chinese EV charger manufacturer’s AWS cloud infrastructure, exposing customer databases containing names, email addresses, phone numbers, and home addresses of UK and German customers. The databases were both encrypted and exfiltrated before isolation. A notable bright spot: the physical charging hardware remained fully operational throughout the incident, suggesting effective network segmentation between cloud backends and the hardware control layer—a design principle that the broader EV charging ecosystem would do well to adopt given the ongoing OCPP vulnerability disclosures.

Barracuda Networks published a major analysis on March 11 quantifying the automotive attack surface across 494 publicly reported incidents in 2025. Ransomware comprised 44% of incidents, doubling from the prior year, while 67% involved telematics or cloud infrastructure rather than direct vehicle access. The report identified over 1,500 supply-chain vulnerabilities in modern automotive ecosystems, with 92% of attacks conducted remotely and 86% requiring no physical proximity. Barracuda also documented a new category of consumer-facing extortion where attackers exploit connected vehicle backends to interfere with vehicle access or functionality, then demand payment to restore control.

The Siemens Heliox EV charger CISA advisory (ICSA-26-071-05), while scored low at CVSS 2.6, is noteworthy as the first CISA ICS advisory specifically addressing an EV charging station hardware vulnerability rather than the backend OCPP software platform issues disclosed across the preceding three weeks. The vulnerability requires physical access via the charging cable to reach unauthorized services.

The CarGurus data breach continued to generate legal fallout through this period. The ShinyHunters threat actor’s February 13 compromise—executed through voice phishing to obtain SSO codes from Okta, Microsoft, and Google services—exposed over 12.5 million email addresses along with auto finance application outcomes and potentially social security numbers. Multiple law firms announced class action investigations.

Meanwhile, an upcoming Congressional hearing scheduled for March 17 titled “DeepSeek and Unitree Robotics: Examining the National Security Risks of PRC Artificial Intelligence, Robotics, and Autonomous Technologies” will address national security concerns around Chinese-made autonomous systems, reflecting growing legislative attention to the intersection of autonomous vehicle technology and geopolitical supply chain risk.

Medical Device CPS Security

The week’s most significant medical device event was the Handala wiper attack on Stryker Corporation, disclosed March 11. The Iran-linked hacktivist group—assessed by Palo Alto Networks as a persona maintained by Void Manticore, an actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS)—claimed to have wiped over 200,000 systems, servers, and mobile devices across Stryker’s operations in 79 countries. According to a source who spoke to KrebsOnSecurity, the attackers compromised Stryker administrator accounts and used Microsoft Intune, the company’s own cloud-based endpoint management platform, to issue remote wipe commands to all connected devices—transforming a legitimate IT management tool into a weapon of mass digital destruction. Handala also claimed to have exfiltrated 50 terabytes of data before executing the wipe. The group stated the attack was retaliation for a February 28 missile strike that killed at least 175 people at an Iranian school, and specifically targeted Stryker for its 2019 acquisition of Israeli company OrthoSpace and its $450 million U.S. Department of Defense contract. As one of the world’s largest manufacturers of surgical equipment, implants, and hospital systems, the disruption extended beyond Stryker’s own operations into active patient care: LifeNet, Stryker’s IT system used by emergency responders to transmit patient data including EKGs to hospitals, was rendered non-functional in most parts of Maryland, forcing at least one statewide EMS system to revert to radio communications. Multiple hospitals in Maryland and San Diego disconnected from Stryker’s online services as a precaution. CISA launched an investigation into the attack, and Stryker later stated the incident had been “contained.”

A cyberattack on the Independent Public Regional Hospital in Szczecin, Poland struck the facility’s IT systems on the night of March 7–8, encrypting critical data and forcing staff to revert to paper-based operations for patient records and medical procedures. Military personnel were deployed to assist in restoring IT access, and the hospital coordinated with national cybercrime agencies to assess the breach. Patient care continued throughout, though administrative procedures slowed significantly. The attack reflects an escalating pattern: Poland now faces between 20 and 50 cyberattacks daily against critical infrastructure, with hospitals among the primary targets amid heightened tensions with Moscow.

A HIMSS survey published March 11, co-authored with Elisity, revealed that 60% of health systems cannot adequately protect unpatchable or agentless medical devices—the highest limitation rate of any category surveyed. Poor visibility into device inventory ranked second at 30%, and 54% cited policy-management overhead as a significant barrier. Nearly half of respondents reported that cyber insurance carriers demanded specific controls during renewal in the past two years, creating external pressure for microsegmentation and IoMT security investment that internal governance had not previously achieved.

Water & Wastewater Sector

While no new water-sector-specific incidents emerged this week, the threat landscape remains elevated from converging pressures identified in prior weeks. CyberAv3ngers, the IRGC-linked group that previously attacked Unitronics PLCs at U.S. water utilities, remains among the most active threat actors in the ongoing Iran-aligned cyber campaign. VOLTZITE (Volt Typhoon) persistence in U.S. water utility networks, documented by Dragos in week 09, continues as an unresolved strategic threat. The CISA operational constraints that have suspended proactive vulnerability scanning and security assessments for water utilities since the DHS shutdown began remain in effect.

Energy & Power Grid

The Hitachi Energy RTU500 substation controller vulnerabilities patched in week 10 (ICSA-26-062-03) remained relevant as utilities continued to schedule firmware updates during planned maintenance windows. This week’s Honeywell IQ4x advisory, while primarily a building management system product, has crossover relevance for energy sector facility management—building automation controllers in substations, control rooms, and utility offices could be affected.

The Iran-aligned cyber escalation continued to pose elevated risk to energy infrastructure. The conflict’s cyber dimension, documented extensively in week 10, saw FAD Team (Fatimiyoun Electronic Squad) publish screenshots claiming simultaneous access to multiple ICS and SCADA systems including pipeline schematics and process automation dashboards, describing their activity as a “first wave.” While independent verification of these claims has not been established, the consistency of Hebrew-language interface screenshots across multiple groups suggests at minimum a coordinated effort to identify and probe exposed Israeli ICS assets. Defense One reported that experts warn Iran-linked hacktivists could expand targeting to U.S. state and local government systems.

The Siemens Heliox EV charger advisory adds to the cumulative picture of distributed energy resource vulnerabilities, following the Poland DER attack, the EV charging OCPP disclosures across 12 vendors, and the Labkotec wind turbine ice detector advisory from week 10.

Manufacturing & Industrial

The March ICS Patch Tuesday delivered a substantial vulnerability management burden for manufacturing environments. The Siemens S7-1500 advisory alone affects over 100 model variants of PLCs deployed across manufacturing floors worldwide, and the stored XSS vulnerability (CVE-2025-40943) could enable attackers to compromise engineering workstations through the PLC’s web interface—aligning with the adversary trend toward targeting engineering workstations documented by Dragos’s AZURITE threat group tracking.

Schneider Electric’s EcoStruxure Automation Expert advisory is particularly consequential for manufacturing, as the command execution vulnerability enables full system compromise of a platform used for industrial automation orchestration. Combined with the EcoStruxure Power Monitoring Expert and Power Operation flaws (local arbitrary code execution) and EcoStruxure IT Data Center Expert issues (hardcoded credentials), Schneider’s advisory batch represents a broad exposure across the company’s industrial software portfolio.

The Lantronix EDS serial device servers, commonly used to bridge legacy serial equipment to IP networks in manufacturing environments, carry two CVSS 9.8 vulnerabilities enabling unauthenticated root-level command execution. The Inductive Automation Ignition deserialization flaw, while requiring privileged access, affects one of the most widely deployed SCADA platforms in manufacturing and could enable code execution with OS-level service account permissions.

The Mitsubishi Electric GENESIS64 and MC Works64 advisory for CVE-2025-7239 (CVSS 7.8) disclosed a path traversal vulnerability in the Pager Agent component of the AlarmWorX64 MMX alarm management system. Attackers with local access can manipulate the SMSLogFile path to overwrite critical system binaries and disrupt SCADA system availability. Mitsubishi has released patches for GENESIS version 11.01 and later, but MC Works64 remains unpatched, requiring customers to implement mitigations.

Threat Intelligence Highlights

The Iran-aligned cyber escalation that began with Operation Epic Fury on February 28 continued to evolve through this reporting period. The Stryker wiper attack represents the most destructive single incident attributed to an Iran-linked group since the conflict’s cyber dimension began, and Handala’s use of the target’s own endpoint management infrastructure rather than custom malware demonstrates sophisticated operational tradecraft. Palo Alto Networks links Handala to Void Manticore, an MOIS-affiliated actor, distinguishing it from the IRGC-linked CyberAv3ngers that has primarily targeted ICS/OT systems.

In a separate but related development, Iranian state-sponsored group MuddyWater deployed a new backdoor called “Dindoor”—leveraging the Deno JavaScript runtime for execution—against U.S. critical infrastructure targets including a bank, an airport, NGOs in the U.S. and Canada, and the Israeli operation of a U.S. defense and aerospace software company. The campaign began in early February and escalated following the military strikes on Iran. A companion Python backdoor called “Fakeset” was also found on the airport’s networks, and data exfiltration was attempted using Rclone to Wasabi cloud storage. Meanwhile, APT34/OilRig (also MOIS-affiliated) has been “operationally silent” since February 28—assessed by CloudSEK as deliberate pre-positioning for potential future disruptive operations, given the group’s long-dwell access in energy and finance sectors.

The scale of potential exposure underscores the urgency: CloudSEK identified approximately 182,200 internet-exposed industrial and automation-related assets in the United States alone, and the more than 60 Iranian-aligned hacktivist groups that mobilized within hours of the February 28 strikes represent the largest single-event mobilization of this ecosystem ever recorded. Pro-Russia hacktivist group Z-Pentest, linked to NoName057(16), claimed responsibility for compromising several U.S.-based ICS/SCADA systems and CCTV networks during the period, using brute-force password spraying and default credential exploitation against exposed VNC services.

Poland’s nuclear research centre (NCBJ) was also targeted by a cyberattack during this period, with Iran now suspected alongside Russia as a potential source. Combined with the Szczecin hospital attack and the December 2025 energy grid attack, Poland has emerged as one of the most heavily targeted nations for critical infrastructure cyberattacks, prompting the government to set a record EUR 1 billion cybersecurity defense budget.

The U.S. released “President Trump’s Cyber Strategy for America” on March 6, accompanied by an executive order emphasizing offensive and defensive cyber capabilities, private sector collaboration, and critical infrastructure hardening. Separately, U.S. senators introduced the Energy Threat Analysis Center Act of 2026 to deepen government-industry collaboration on energy sector threat identification and mitigation.

The CISA operational crisis continued, with the DHS shutdown persisting and the agency operating at approximately 38% capacity. Despite these constraints, CISA managed to publish ten ICS advisories and update the KEV catalog, but proactive security assessments, training, and stakeholder engagement remain suspended during a period of historically elevated threat activity.

Defensive Recommendations

The Honeywell IQ4x BMS controller vulnerability (CVE-2026-3611, CVSS 10.0) demands immediate attention from any organization running these controllers. Since no vendor patch exists, the only mitigation is to isolate affected devices behind firewalls and restrict network access. Operators should configure user modules to disable the default System Guest context and ensure the U.htm endpoint is not accessible from untrusted networks.

Siemens S7-1500 operators should prioritize the firmware update to version 4.1.2 to address the critical stored XSS (CVE-2025-40943). Where immediate patching is not feasible, disable the PLC webserver on ports 80/tcp and 443/tcp. RUGGEDCOM APE1808 operators running FortiGate NGFW should update to version 7.4.11 to close the authentication bypass (CVE-2026-24858).

Lantronix EDS3000PS and EDS5000 operators should update firmware immediately given the two CVSS 9.8 unauthenticated command execution vulnerabilities. Until patched, restrict network access to management interfaces and audit for unauthorized access. Apeman ID71 camera operators should isolate devices from the internet, as no vendor patch is available.

Schneider Electric EcoStruxure operators should review all six advisories published this Patch Tuesday and apply available patches, prioritizing the Automation Expert and Data Center Expert products where vulnerabilities enable full system compromise. Inductive Automation Ignition users should upgrade to version 8.3.0 or later to address the deserialization flaw.

Healthcare organizations should assess their exposure to the Stryker supply chain disruption and review their own endpoint management platform security. The Handala attack demonstrates that cloud-based MDM and endpoint management tools can be weaponized for mass destruction if administrative credentials are compromised. Implement conditional access policies, monitor for anomalous Intune or similar MDM commands, and ensure administrative accounts are protected with hardware-backed MFA.

Organizations in Poland and nations with critical infrastructure exposure to the Iran-aligned or Russia-aligned cyber campaigns should review Unit 42’s threat brief, implement CyberAv3ngers-specific indicators of compromise, and ensure all internet-facing OT systems have had default credentials changed and unnecessary services disabled.

Sources Referenced

Government Advisories & Directives

ICS Patch Tuesday Coverage

SecurityWeek: ICS Patch Tuesday – Siemens, Schneider, Moxa, Mitsubishi Electric

News Summary week 11, 2026