Executive Summary

The week’s most significant geopolitical disclosure came on April 15, when Sweden publicly attributed a 2025 attempted destructive cyberattack on a thermal power plant to a pro-Russian group with links to Russian intelligence and security services—marking a documented escalation from denial-of-service harassment to OT-targeted destructive operations against European energy infrastructure. On the advisory front, CISA released four ICS advisories on April 16 (ICSA-26-106-01 through -04) covering Delta Electronics, Horner Automation, Anviz, and AVEVA, with the Anviz advisory disclosing over a dozen CVEs in widely deployed physical access control systems at CVSS scores reaching 9.8, and the AVEVA Pipeline Simulation advisory revealing a critical missing-authorization flaw (CVE-2026-5387, CVSS 9.3) that allows unauthenticated attackers to modify pipeline simulation parameters. The ICS Patch Tuesday on April 16 brought additional advisories from Siemens, Schneider Electric, Rockwell Automation, ABB, Phoenix Contact, Mitsubishi Electric, and Moxa. The FBI released its IC3 2025 Internet Crime Report on April 10, confirming healthcare as the most ransomware-targeted critical infrastructure sector with 278 attacks in 2025 and total U.S. cybercrime losses exceeding $21 billion.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of April 10 – April 17, 2026

Critical Alerts & Advisories

CISA April 16 ICS Advisories (ICSA-26-106 Series)

CISA published four ICS advisories on April 16, covering products used in physical access control, PLC programming environments, and pipeline simulation.

ICSA-26-106-01: Delta Electronics ASDA-Soft addresses a stack-based buffer overflow triggered during parsing of malformed .par files in ASDA-Soft version 7.2.0.0 and earlier. Successful exploitation allows an attacker to execute arbitrary code. All versions up to and including v7.2.2.0 are affected. Delta Electronics has released v7.2.6.0 as the remediated version. The vulnerability requires user interaction—an attacker must convince the target to open a malicious file—limiting the attack vector to spear-phishing or supply chain compromise targeting automation engineers who use this servo drive configuration software.

ICSA-26-106-02: Horner Automation Cscape and XL4/XL7 PLC discloses CVE-2026-6284, rated CVSS 9.1, a critical weak-password vulnerability in the Cscape PLC programming environment and associated XL4 and XL7 series PLCs. The absence of password complexity requirements and the absence of brute-force rate limiting on password input fields allows network-accessible attackers to enumerate credentials and gain unauthorized access to systems and services. This is the same family of controllers targeted in the April 9 GPL750 advisory from week 15, reinforcing the concentration of risk in Horner Automation’s product line. Horner Automation recommends updating to Cscape v10.2 SP2 or later and applying the latest firmware to XL4 and XL7 units.

ICSA-26-106-03: Anviz Multiple Products is the most expansive of the four April 16 advisories, covering twelve CVEs across three Anviz products—CX2 Lite Firmware, CX7 Firmware, and CrossChex Standard management software—with the highest severity reaching CVSS 9.8. Anviz manufactures biometric and card-based physical access control devices widely deployed in facility entry systems, data centers, and critical infrastructure perimeters. The disclosed vulnerabilities span a wide range of attack classes: unauthenticated POST requests that modify debug settings (enabling SSH without credentials), authenticated command injection via filename parameters achieving root-level code execution, cleartext storage and transmission of sensitive credentials, session token predictability enabling authentication bypass, and SQL injection in the CrossChex management application. Specific CVEs include CVE-2026-32648, CVE-2026-40461, CVE-2026-35682, CVE-2026-35546, CVE-2026-40066, CVE-2026-33569 (CX2 Lite); CVE-2026-33093, CVE-2026-35061, CVE-2026-32324, CVE-2026-31927 (CX7 additional); and CVE-2026-40434, CVE-2026-32650 (CrossChex). Critically, Anviz did not respond to CISA’s coordinated disclosure process. No patch or mitigation from the vendor is available. CISA recommends network isolation, minimizing internet exposure, and replacing affected devices where possible. The failure of the vendor to engage with disclosure is particularly concerning for physical security infrastructure that often sits on the boundary between cyber and physical systems.

ICSA-26-106-04: AVEVA Pipeline Simulation covers CVE-2026-5387, a critical missing-authorization vulnerability (CWE-862) with a CVSS v4.0 score of 9.3. AVEVA’s Pipeline Simulation software is used to model and train operators on gas and liquid pipeline behavior—commonly deployed in oil and gas, chemical processing, and utilities. The flaw allows an unauthenticated remote attacker to perform operations intended exclusively for Simulator Instructor or Simulator Developer roles, including modifying simulation parameters, altering training configurations, and overwriting training records. All versions up to 2025 SP1 build 7.1.9497.6351 are affected. AVEVA released a patch in conjunction with the advisory. The advisory carries significant implications for pipeline operator training programs: an attacker who can silently modify simulation parameters could corrupt the training environment, causing operators to develop incorrect mental models of pipeline behavior and emergency response procedures.

ICS Patch Tuesday – April 16: Eight Industrial Giants

The April 16 Patch Tuesday cycle brought advisories from eight major industrial automation vendors: Siemens, Schneider Electric, Aveva, Rockwell Automation, ABB, Phoenix Contact, Mitsubishi Electric, and Moxa. No confirmed exploits in the wild were reported for these advisories at time of publication.

Siemens published nine advisories covering a range of severity levels. The sole critical-rated advisory addressed older Wi-Fi vulnerabilities in Scalance W-700 series devices. High-severity findings included authentication and authorization bypass flaws in Sinec NMS (network management software for industrial networks), privilege escalation, code execution, and denial-of-service vulnerabilities in Ruggedcom Crossbow, and authorization bypass in Industrial Edge Management.

Schneider Electric released three advisories. One described the impact of the BlastRadius vulnerability—a RADIUS protocol flaw disclosed in 2024—on the Modicon Networking Managed Switch product line. The other two covered medium-severity vulnerabilities in PowerChute Serial Shutdown UPS management software and Easergy MiCOM Px40 protection relays used in power distribution.

Rockwell Automation published an updated advisory for ControlLogix vulnerabilities—ICSA-26-099, initially released April 9—reflecting the continued cadence of patching activity for its controller platform.

Energy & Power Grid

Sweden Attributes 2025 Power Plant Attack to Russia

On April 15, Swedish Minister of Civil Defense Carl-Oskar Bohlin announced at a Stockholm press conference that a pro-Russian group with connections to Russian intelligence and security services was responsible for a cyberattack on a Swedish thermal power plant that occurred in spring 2025. The attack was blocked by a built-in protection mechanism before causing any disruption to heat or power generation. The facility and its operator were not publicly named.

The attribution carries significance beyond the incident itself. Swedish officials characterized the operation as part of a documented shift in pro-Russian hacker behavior: groups that previously confined themselves to distributed denial-of-service attacks against websites have moved toward intrusions targeting operational technology systems—the industrial software that physically controls power plants, water facilities, and manufacturing equipment. This transition from availability disruption to physical process disruption represents a materially higher level of operational risk, and aligns with warnings from Poland, Norway, Denmark, and Latvia that Russia is conducting sustained campaigns against European critical infrastructure.

The announcement followed reporting by TechCrunch, SecurityWeek, and Euronews on April 15, with corroborating coverage from The Washington Post on the same date. Russia’s ambassador to Sweden denied any involvement.

Iranian PLC Campaign: Industry Reaction and Ongoing Exposure

The joint advisory AA26-097A issued April 7 continued to generate response and analysis throughout the week of April 10-17. Security firms published detailed technical guidance on detecting the specific Iranian TTPs described in the advisory, and NERC’s Watch Operations team remained at elevated monitoring posture.

Censys data, published April 8 and continuing to be cited, showed 5,219 globally exposed EtherNet/IP devices identifying as Rockwell Automation/Allen-Bradley hardware, with 3,891 (74.6%) located in the United States. The Foundation for Defense of Democracies (FDD) published analysis on April 10 connecting the PLC targeting campaign to the broader Iranian cyber strategy against U.S. and allied critical infrastructure, noting that CyberAv3ngers’ exploitation techniques have proliferated to an estimated 60 or more affiliated hacktivist groups, meaning mitigation of the core group does not eliminate the threat.

The Department of Energy announced a $160 million funding allocation to accelerate energy sector cybersecurity improvements, citing the convergence of grid modernization—which introduces new attack surfaces through distributed energy resources and smart grid software—with the escalating threat environment.

Medical Device & Healthcare CPS Security

FBI IC3 2025 Report: Healthcare Top Ransomware Target

On April 10, the FBI released its Internet Crime Complaint Center (IC3) 2025 Annual Report, providing the most comprehensive view of ransomware impact on U.S. critical infrastructure. Healthcare and public health emerged as the most heavily targeted critical infrastructure sector for ransomware in 2025, with 278 reported attacks—a figure the FBI explicitly notes understates actual incident volume due to underreporting. Total U.S. cybercrime losses exceeded $21 billion in 2025, up 26% from 2024, with ransomware accounting for $32.3 million in reported losses, a 259% increase from the prior year. The top ransomware variants affecting critical infrastructure in 2025 were Akira, Qilin, and Lynx, all operating as ransomware-as-a-service with double extortion models. Manufacturing, healthcare, and government facilities were the top three targeted critical infrastructure sectors.

Grassroots DICOM Vulnerability: No Patch Available

The CISA advisory for Grassroots DICOM (ICSMA-26-083-01), published March 24 but receiving broader industry attention in the April 10-17 period, discloses CVE-2026-3650, a high-severity (CVSS 7.5) memory leak vulnerability in the GDCM library version 3.2.2. A malformed DICOM file of approximately 150 bytes can cause affected systems to allocate 4.2 gigabytes of memory without releasing it, enabling remote unauthenticated denial-of-service attacks against PACS servers, radiology workstations, and any system incorporating GDCM as a dependency. Downstream affected software includes 3D Slicer, SimpleITK, Medical Imaging Interaction Toolkit, and Orthanc DICOM servers—all widely used in hospitals and radiology departments. No patch is available; Grassroots DICOM has not responded to CISA’s coordination attempts. Mitigations are limited to network isolation of DICOM systems, perimeter-based DICOM file validation, and OS-level memory resource limits.

ACN Healthcare Ransomware (Lynx Group)

On April 10, the Lynx ransomware group claimed ACN Healthcare as a victim, marking the second healthcare ransomware incident in consecutive days following the April 9 Anubis claim against Signature Healthcare in Brockton, Massachusetts. The Signature Healthcare incident—first disclosed April 6, with the hospital still recovering through the week of April 10—resulted in emergency room diversion, chemotherapy cancellation, pharmacy disruption, and reversion to manual patient-tracking on whiteboards. The dual claims within 24 hours underscore the sustained tempo of healthcare ransomware operations.

The HIPAA Journal reported that Signature Healthcare’s downtime procedures were expected to continue for approximately two weeks following the April 6 detection, meaning systems remained degraded through the April 10-17 reporting period.

Automotive CPS Security

Pwn2Own Automotive 2026: Post-Competition Disclosure Period

The coordinated disclosure window for vulnerabilities discovered at Pwn2Own Automotive 2026, held January 21-23, moved further through its 90-day timeline during the week of April 10-17, increasing the likelihood of additional technical details becoming public in the coming weeks. The competition disclosed 76 zero-day vulnerabilities across infotainment systems, EV chargers, and Tesla interfaces, with researchers earning $1,047,000 in total awards. Affected EV charger products included the Alpitronic HYC50, Phoenix Contact CHARX SEC-3150, ChargePoint Home Flex, and Grizzl-E Smart 40A. VicOne researchers documented five zero-day vulnerabilities in two aftermarket peripherals—the CarlinKit CPC200-CCPA wireless CarPlay dongle and the 70mai A510 smart dashcam—with an estimated 85,000+ of these devices currently internet-exposed.

As the 90-day window approaches expiration for day-one competition vulnerabilities, with the earliest disclosures expiring around April 20, organizations operating affected EV charging infrastructure should verify that vendor patches have been applied.

Manufacturing Sector Threat Report

A report published April 15 by Security MEA, drawing on Dragos’s 2026 OT Cybersecurity Year in Review data, confirmed that manufacturing faced the most severe cyber threats in 2025 across all industrial sectors. Manufacturing accounted for the highest share of ICS ransomware victims, driven by the combination of legacy OT systems with known vulnerabilities—80% of European manufacturers operate critical OT with unpatched flaws—, high-value operational disruption impact, and increasing interconnection between IT and OT environments. Ransomware groups Qilin and Gentlemen—the latter expanding from 35 victims in Q4 2025 to 182 in Q1 2026—are particularly active against manufacturing targets.

Water & Wastewater Sector

The EPA proposed a $19 million information security enhancement for water system cybersecurity during the week of April 10-17, following consistent findings that approximately 70% of inspected water utilities have critical cybersecurity deficiencies. The proposal would fund vulnerability assessments, incident response planning, and technical assistance to small and medium utilities that lack dedicated cybersecurity personnel.

The Iranian PLC campaign (AA26-097A) continued to be the primary tactical concern for the water sector. The documented technique of manipulating HMI and SCADA display data to show falsified readings remains particularly dangerous for water treatment processes where operator trust in sensor readings is foundational to safe chemical dosing and distribution.

Threat Intelligence Highlights

The M-Trends 2026 report from Mandiant (Google Cloud), covered by Industrial Cyber during this period, characterized the current threat landscape as defined by faster, more coordinated, and increasingly industrialized cyberattacks. Median dwell time for attackers in critical infrastructure environments has continued to decline, meaning defenders have less time to detect intrusions before attackers achieve their objectives. Nation-state groups are increasing their use of operational relay box networks—ORBs are rented through commercial cloud and hosting providers—to obscure attribution and complicate incident response, the same technique used by the Iranian-affiliated actors in the AA26-097A campaign.

The convergence of the Iranian PLC campaign, the Swedish disclosure of Russian OT targeting, and the continued ransomware pressure on healthcare and manufacturing illustrates a threat environment in which CPS defenders must simultaneously address nation-state intrusion operations, hacktivist disruption campaigns, and financially motivated ransomware groups—each with different TTPs, dwell-time characteristics, and operational objectives.

Defensive Recommendations

Organizations operating AVEVA Pipeline Simulation should immediately apply the patch for CVE-2026-5387 (ICSA-26-106-04) and restrict network access to simulation servers to authorized instructor and developer workstations only. Verify that training records have not been altered by reviewing simulation logs for unexpected parameter changes.

Facilities using Anviz CX2 Lite, CX7, or CrossChex access control products should treat these systems as unpatched indefinitely given vendor non-response, isolate them from general network access, disable remote management interfaces, and evaluate replacement timelines. Physical access control systems with network connectivity to critical areas require particular scrutiny given the scope of vulnerabilities disclosed in ICSA-26-106-03.

Organizations using Horner Automation Cscape or XL4/XL7 PLCs should update to Cscape v10.2 SP2 and apply the latest XL4/XL7 firmware per ICSA-26-106-02. Complement software updates with network-level access controls to prevent brute-force attacks reaching PLC authentication interfaces.

Healthcare organizations should use the FBI IC3 2025 report findings to brief senior leadership on ransomware risk to patient care operations. The Signature Healthcare incident provides a current, domestic reference case for explaining how ransomware translates into clinical impact—ambulance diversion, chemotherapy cancellation, pharmacy closure—that resonates with non-technical decision makers. Use this window to validate that downtime procedures are current, tested, and accessible without electronic systems.

Radiology and imaging departments should assess DICOM system exposure in light of CVE-2026-3650, confirming that PACS servers and DICOM workstations are not directly reachable from the internet or from untrusted internal network segments. Apply OS-level memory resource limits (cgroups on Linux, job objects on Windows) to DICOM processing services as a partial mitigation until a patch is available.

Energy utilities and grid operators should monitor for Pwn2Own Automotive disclosure activity as 90-day windows expire, particularly for EV charging infrastructure that may be connected to utility networks or smart grid endpoints.

News Summary week 16, 2026