Executive Summary

CISA’s two advisory batches on April 21 and April 23 covered a broad range of ICS products, with the most severe findings concentrated in the SenseLive X3050 industrial gateway (eleven CVEs, CVSS 9.8, no vendor patch) and the Silex Technology SD-330AC serial-to-IP converter (thirteen CVEs, highest CVSS 9.8). The latter was part of a wider Forescout research disclosure—named BRIDGE:BREAK—that identified 22 vulnerabilities across Lantronix and Silex products and found approximately 20,000 such devices internet-exposed. CISA also published an advisory for the Intrado 911 Emergency Gateway (CVE-2026-6074), a path traversal flaw enabling unauthenticated access to emergency communications management interfaces. Darktrace published analysis of ZionSiphon, an OT-targeting malware designed to manipulate chlorine doses and water pressure at Israeli desalination and treatment plants; Dragos assessed the current sample as pre-operational due to implementation flaws. The Iranian-affiliated PLC campaign (AA26-097A) continued to drive response activity throughout the week, with the CYFIRMA intelligence report for April 17 confirming that Iranian-linked groups have not stood down despite public announcements of a temporary U.S. operations pause.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of April 17 – April 24, 2026

Critical Alerts & Advisories

CISA April 21 ICS Advisories (ICSA-26-111 Series)

CISA published twelve ICS advisories on April 21, 2026, covering products from Siemens, Silex Technology, SenseLive, Hardy Barth, and others.

ICSA-26-111-03: Siemens SINEC NMS discloses an authentication bypass vulnerability in SINEC NMS when deployed with the User Management Component (UMC). Insufficient validation of user identity allows an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the network management application. The vulnerability identifier ZDI-CAN-27564 was assigned by Trend Micro’s Zero Day Initiative. Siemens released SINEC NMS V4.0 SP3 as the remediated version. SINEC NMS is widely used to centrally manage Siemens industrial network components—routers, switches, firewalls—across manufacturing and utility environments. An attacker who bypasses authentication gains visibility into and control over the managed network topology, enabling reconnaissance and lateral movement preparation.

ICSA-26-111-05: Hardy Barth Salia EV Charge Controller covers two vulnerabilities in Salia Board Firmware version 2.0.4 and earlier. CVE-2025-5873 is an unrestricted file upload vulnerability in the /firmware.php endpoint of the web UI that allows an unauthenticated attacker to upload arbitrary files and achieve remote code execution. CVE-2025-10371 is a buffer overflow condition that can crash the device or enable code execution. Successful exploitation of either vulnerability could crash affected charging stations or give an attacker persistent control over EV charging infrastructure. Hardy Barth Salia controllers are deployed at commercial and industrial charging sites. No specific CVSS scores were published in the initial advisory summary, but both are rated critical for potential RCE impact.

ICSA-26-111-10: Silex Technology SD-330AC and AMC Manager is the highest-severity advisory in the April 21 batch, disclosing thirteen CVEs across the SD-330AC wireless serial device server and its AMC Manager administration software. This advisory corresponds to the Forescout BRIDGE:BREAK research (see below). The most severe vulnerability, CVE-2026-32956 (CVSS 9.8 / CVSS v4.0: 9.3), is an unauthenticated heap-based buffer overflow triggered when processing the login redirect URL. Additional high-severity findings include a stack buffer overflow (CVE-2026-32955, CVSS 8.8), an insecure default null password enabling unauthenticated admin access (CVE-2026-32965, CVSS 7.5), a hard-coded cryptographic key allowing firmware tampering (CVE-2026-32958), and an authentication bypass via a broken mechanism in the web management interface (CVE-2026-32960). Three legacy CVEs from third-party components are also included: a net-snmp integer overflow (CVE-2015-5621) and an improper access control flaw in the DS-600 model (CVE-2024-24487, CVSS 6.8). Remediation requires upgrading to SD-330AC firmware 1.50 or later and AMC Manager 5.1.0 or later. As an interim measure, disabling HTTP/HTTPS management services and changing default administrator credentials are advised.

ICSA-26-111-12: SenseLive X3050 is the broadest advisory of the week, disclosing eleven vulnerabilities in the SenseLive X3050 V1.523 industrial IoT gateway. The vulnerabilities include authentication bypass, hard-coded credentials, insufficient session expiration, missing authorization, cleartext transmission, and cross-site request forgery, with the most severe reaching CVSS 9.8. CVEs disclosed include CVE-2026-40630, CVE-2026-25720, CVE-2026-35503, CVE-2026-39462, CVE-2026-27843, CVE-2026-40431, CVE-2026-40623, CVE-2026-27841, CVE-2026-40620, CVE-2026-35064, and CVE-2026-25775. Successful exploitation could allow an attacker to take complete control of the device. The X3050 is deployed across Critical Manufacturing, Water and Wastewater, Energy, and Information Technology sectors. SenseLive did not respond to CISA’s coordinated disclosure requests, and no vendor patch or mitigation guidance is available. CISA recommends network isolation and minimizing internet exposure.

CISA April 23 ICS Advisories (ICSA-26-113 Series)

CISA published additional advisories on April 23, 2026, covering transportation, surveillance, and emergency communications infrastructure.

ICSA-26-113-02: Carlson Software VASCO-B GNSS Receiver discloses CVE-2026-3893 (CVSS 9.4, Critical), a missing authentication for critical function (CWE-306) affecting VASCO-B GNSS Receiver versions prior to 1.4.0. The device lacks any authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without credentials. The VASCO-B is a survey-grade GNSS receiver used in precision positioning applications in Critical Manufacturing and related sectors. Carlson Software has released version 1.4.0 as the patch. No known public exploitation has been reported.

ICSA-26-113-03: Milesight Cameras covers five vulnerabilities across a wide range of Milesight AI/IoT camera models—including MS-Cxx63-PD, MS-Cxx64-xPD, MS-Cxx73-xPD, MS-Cxx75-xxPD, MS-Cxx83-xPD, MS-Cxx74-PA, MS-C8477-HPG1, and MS-C8477-PC—running firmware versions at or below 51.7.0.77-r12 or 3x.8.0.3-r11 depending on model. The disclosed vulnerability classes include unauthenticated remote code execution, command injection, path traversal, and denial-of-service. CVEs include CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, and CVE-2026-20766. Successful exploitation could crash the device or allow remote code execution. Milesight has released patched firmware for all affected models — MS-Cxx63-PD receives version 51.7.0.77-r13, MS-Cxx74-PA receives 3x.8.0.3-r13, MS-C8477-HPG1 receives 63.8.0.4-r4, and MS-C8477-PC receives 48.8.0.4-r4 — and advises users to upgrade through the Milesight support download page.

ICSA-26-113-06: Intrado 911 Emergency Gateway (EGW) discloses CVE-2026-6074, a path traversal vulnerability affecting Emergency Gateway versions 5.x, 6.x, and 7.x. The flaw enables an attacker with network access to reach the EGW management interface without authentication, and then read, modify, or delete files. The 911 Emergency Gateway is used to route emergency calls in public safety answering point (PSAP) infrastructure. Intrado developed and released a software update on March 2, 2026, and has coordinated patch delivery with customers. CISA recommends minimizing network exposure, placing control system networks behind firewalls, and using VPNs for required remote access. Given the safety-critical nature of 911 call routing, organizations operating unpatched EGW versions should prioritize this remediation.

ICSA-26-113 (unnumbered in sources): Schneider Electric Modicon Controllers (Update A) was published on April 23 as an update to an earlier advisory covering Modicon M241, M251, M258, and LMC058 controllers. The update addresses a cross-site scripting (CWE-79) vulnerability. Modicon M241 and M251 versions prior to 5.4.13.12 are affected; M258 and LMC058 have all firmware versions affected with no patch available for those models. Successful exploitation could result in cross-site scripting attacks or open redirect attacks leading to account takeover or code execution in the operator’s browser. Schneider Electric recommends updating M241 and M251 to version 5.4.13.12 or later.

Research Disclosures

BRIDGE:BREAK: Forescout Discloses 22 Vulnerabilities in Serial-to-IP Converters

On April 21, 2026, Forescout Research Vedere Labs published BRIDGE:BREAK, a coordinated disclosure covering 22 vulnerabilities across serial-to-IP converter products from Lantronix and Silex Technology. Forescout identified approximately 20,000 affected devices reachable from the public internet across industrial, utility, transportation, and healthcare networks.

Eight of the 22 flaws affect the Lantronix EDS3000PS and EDS5000 device servers; the remaining fourteen affect the Silex SD-330AC wireless bridge and AMC Manager software (covered above under ICSA-26-111-10). Vulnerability classes span unauthenticated remote code execution, authentication bypass, hard-coded cryptographic keys permitting firmware tampering, default-null administrative passwords, heap and stack buffer overflows in web management processing, reflected cross-site scripting, and arbitrary file upload. The most critical vulnerability is CVE-2026-32956 (CVSS 9.8), an unauthenticated heap buffer overflow in the Silex SD-330AC login flow.

Serial-to-IP converters occupy a critical position in industrial and healthcare networks: they bridge legacy serial devices—PLCs, sensors, medical instruments, point-of-sale terminals—that cannot be replaced with TCP/IP-connected equivalents, meaning the converters sit on the boundary between older serial-era equipment and modern IP networks. An attacker who compromises a converter can relay malicious commands to the attached serial device, intercept serial communications, or use the converter as a persistent foothold in an otherwise air-gapped segment.

Forescout conducted the disclosure in coordination with CISA and the affected vendors. No exploitation in the wild was observed at time of publication. Vendors have released patches for both product lines.

ZionSiphon: OT Malware Targeting Israeli Water Infrastructure

Darktrace researchers published analysis on approximately April 17, 2026, of a malware sample named ZionSiphon, designed to sabotage water treatment and desalination facilities in Israel. The sample was first observed on VirusTotal in late June 2025—shortly after the June 13-24, 2025 conflict between Iran and Israel—and is assessed as geopolitically motivated.

ZionSiphon combines standard commodity malware capabilities—privilege escalation, registry persistence, USB propagation via malicious shortcut files—with OT-specific functionality targeting industrial control systems. After establishing a foothold, it performs IP-based geolocation checks targeting Israeli address ranges, then scans for processes and filesystem artifacts associated with water treatment operations: reverse osmosis, desalination, chlorine handling, and plant control software. Its target list includes Mekorot — Israel’s national water company — and four major seawater desalination plants: Sorek, Hadera, Ashdod, and Palmachim, as well as the Shafdan wastewater treatment facility.

For ICS manipulation, the malware scans networks for devices using Modbus, DNP3, and S7comm protocols. If Modbus devices are found, ZionSiphon would attempt to alter parameters associated with chlorine dose control and pressure regulation—actions that could contaminate water or damage distribution infrastructure.

Dragos separately assessed the disclosed ZionSiphon sample as not a credible near-term ICS threat, citing implementation flaws: the country-validation logic is dysfunctional, and the DNP3 and S7comm components are placeholders rather than functional code. Dragos assesses the analyzed version is either a development build, a prematurely deployed sample, or intentionally defanged for testing purposes.

Despite these limitations, the sample represents a documented case of AI-assisted OT malware development — the Cloud Security Alliance noted the malware bears hallmarks of LLM-assisted code generation — and its targeting specificity—named facilities, named ICS protocols, specific process parameters—demonstrates adversary intent and knowledge of operational technology attack paths that may materialize in a more capable future version.

Ongoing Campaigns

Iranian PLC Campaign: Week Three of Elevated Posture

The joint advisory AA26-097A (FBI, CISA, NSA, EPA, DOE, U.S. Cyber Command), issued April 7 and covering Iranian-affiliated exploitation of internet-exposed Rockwell Automation PLCs across Government Services, Water and Wastewater, and Energy sectors, remained the primary active threat driving elevated monitoring posture in critical infrastructure sectors.

The CYFIRMA Weekly Intelligence Report for April 17 confirmed that while the Iranian-linked group Handala announced a temporary pause in U.S.-targeted operations, Iranian-affiliated APT activity against critical infrastructure has not ceased. The advisory documents a sustained campaign in which threat actors—linked to Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC), operating as CyberAv3ngers and also tracked as Shahid Kaveh Group, Storm-0784, and UNC5691—connect directly to internet-exposed Rockwell/Allen-Bradley PLCs using legitimate engineering software — specifically Studio 5000 Logix Designer — exfiltrate and modify PLC project files, and manipulate SCADA HMI displays to show falsified process readings while altered control logic executes undetected.

Documented victim impact includes operational disruption and financial loss. Censys data showing 5,219 globally exposed EtherNet/IP devices identifying as Rockwell/Allen-Bradley hardware, with 74.6% located in the United States, continued to circulate as the baseline exposure figure.

Automotive CPS Security

Zero Motorcycles received its first CISA ICS advisory this week (ICSA-26-111-06), disclosing CVE-2026-1354 in all firmware versions 44 and prior. An attacker within Bluetooth range can forcibly initiate a pairing session with a motorcycle while it is in pairing mode and, once paired, push malicious over-the-air firmware updates. The attack complexity is rated high because the adversary must remain physically proximate throughout the firmware update cycle, and no exploitation in the wild has been reported. Zero Motorcycles has scheduled a patch for May 2026. The advisory highlights the expanding threat surface of software-defined electric two-wheelers: the same over-the-air update capability that enables rapid feature delivery also represents a firmware injection pathway when Bluetooth pairing controls are insufficient.

The Hardy Barth Salia EV Charge Controller (ICSA-26-111-05) carries two vulnerabilities with no vendor patch available. CVE-2025-5873 is an unrestricted file upload flaw in the web management interface that enables unauthenticated remote code execution, and CVE-2025-10371 is a buffer overflow that can crash the device or facilitate code execution. Hardy Barth did not respond to CISA’s coordination attempts. EV charge controllers sit at the intersection of the Energy and Transportation Systems sectors; a compromised controller could serve as a pivot point into building management networks or utility grid integration systems that share the same network segment.

Medical Device CPS Security

The FDA reissued its cybersecurity guidance for medical device manufacturers on April 15, 2026, aligning requirements with the Quality Management System Regulation (QMSR) that harmonizes U.S. standards with ISO 13485:2016. Under the revised guidance, cybersecurity is now embedded within design controls governed by ISO 13485 Clause 7.3 rather than treated as a standalone compliance checklist, and security risk management must follow the same formal processes as safety risk management under Clause 7.1. Premarket submissions for 510(k), De Novo, and Premarket Approval pathways must now include a Security Risk Management Report, a Software Bill of Materials (SBOM), and architectural views that explicitly demonstrate exploitability assessments. Manufacturers are additionally required to implement active vulnerability monitoring, formal patch management plans, and Coordinated Vulnerability Disclosure programs with 30-day disclosure timelines. Texas Health and Human Services issued a mandatory compliance notice on April 1, 2026, requiring that all submissions to the FDA comply with the updated guidance, signaling that state regulators are amplifying the federal requirement alongside the agency itself. Industry observers anticipate that the FDA will increasingly focus post-market audits on the operational effectiveness of these security processes rather than accepting point-in-time documentation as sufficient evidence of compliance.

Energy & Power Grid

The Iranian PLC exploitation campaign documented in joint advisory AA26-097A extends directly into energy sector infrastructure alongside water utilities. NERC’s Watch Operations team issued a member alert to the Electricity ISAC amplifying the advisory and asking utilities to lower their thresholds for reporting suspicious cyber and physical security activity. Rockwell Automation and Allen-Bradley hardware is present in substations, natural gas compressor stations, and distributed energy resource sites across the United States, meaning the same authentication bypass exploited in water utilities applies equally to energy environments. The advisory’s specific call to remove EtherNet/IP PLCs from internet-routable network segments applies with equal urgency in both sectors.

The Iberian Peninsula experienced a major power outage late in the week affecting Spain, Portugal, and parts of southwestern France. Early official investigation concluded that a cyberattack was not the direct cause. The World Economic Forum used the incident to amplify warnings about the growing vulnerability of interconnected European energy grids as renewable energy assets with new digital interfaces proliferate. The blackout was notable for its geographic scale and for the speed with which cybersecurity commentators initially speculated about hostile action, illustrating the degree to which large-scale grid failures are now reflexively interpreted through a cyber lens even when grid operations or interconnection failures are the actual cause.

Manufacturing & Industrial

The Siemens SINEC NMS authentication bypass (CVE-2026-24032, CVSS 8.8) and the RUGGEDCOM CROSSBOW vulnerabilities patched this week affect manufacturing environments where Siemens industrial networking infrastructure is ubiquitous. SINEC NMS manages the network plane for Siemens industrial sites; an unauthenticated attacker who exploits the bypass gains visibility into and control over the entire managed topology, enabling reconnaissance and lateral movement preparation across the manufacturing environment. Both products are fixed in versions released this week and should be prioritized for immediate patching.

The Delta Electronics ASDA-Soft advisory (CVE-2026-5726, CVSS 7.8) affects manufacturing environments using Delta servo drives in packaging, machining, and assembly automation. The SenseLive X3050 — for which no patch exists — is used in industrial monitoring scenarios including energy metering and environmental sensing in manufacturing facilities. The CVSS 9.8 severity with no vendor remediation path means network isolation is the only available control.

A Security MEA industry report published April 15 confirmed that manufacturing faced the most severe cyber threat burden of any sector in 2025, a trend assessed as continuing into 2026. FBI data cited in the report places U.S. cybercrime losses at 21 billion dollars, with manufacturing disproportionately represented in ransomware victim counts.

Water & Wastewater Sector

The water sector faced an unusually concentrated set of threats during the week of April 17-24:

The ZionSiphon malware disclosure, while pre-operational, demonstrates that adversaries are actively developing OT tools with chlorine dosing and pressure manipulation as intended attack objectives.
The SenseLive X3050 advisory (ICSA-26-111-12, CVSS 9.8) affects the Water and Wastewater sector directly, and the vendor’s non-response to CISA coordination means no patch is forthcoming.
The Carlson VASCO-B advisory (ICSA-26-113-02, CVSS 9.4) affects GNSS-based positioning infrastructure used in survey and infrastructure management operations.
The Iranian PLC campaign (AA26-097A) remains explicitly active against U.S. Water and Wastewater Systems.

The OT-ISAC’s April 2026 advisory consolidating multiple disclosures—including AVEVA Pipeline Simulation authorization bypass, Horner XL4/XL7 Cscape weak passwords, and Siemens SINEC NMS, Industrial Edge Management, and RUGGEDCOM CROSSBOW management vulnerabilities—reflects the breadth of exposure across the water sector’s varied installed base.

Critical Infrastructure: Emergency Services

The Intrado 911 Emergency Gateway advisory (ICSA-26-113-06, CVE-2026-6074) deserves elevated attention given its target environment. PSAP infrastructure and emergency communication systems have historically not been prioritized for cybersecurity patching at the same cadence as enterprise IT or industrial OT, and path traversal vulnerabilities enabling unauthenticated file access in systems routing 911 calls represent a class of risk with direct public safety consequences. Intrado released a patch in early March 2026 and coordinated distribution with customers, but not all deployments may have applied the update.

Transportation & Aerospace

The Carlson VASCO-B GNSS advisory (CVE-2026-3893, CVSS 9.4) affects Critical Manufacturing sectors including surveying and construction positioning. GNSS receivers without authentication controls are susceptible to configuration modification that could alter positioning data, affecting safety-critical applications in surveying, machine control, and infrastructure alignment.

The SpiceJet Online Booking System advisory (ICSA-26-113-04, CVE-2026-6375 and CVE-2026-6376) covers the Transportation Systems sector, disclosing unauthenticated access to passenger name records (PNRs) without access controls. While not a CPS or OT vulnerability, it affects critical transportation infrastructure.

Threat Intelligence Highlights

The Dragos 2026 OT Cybersecurity Year in Review — published earlier in Q1 2026 and widely cited during this week — documented the emergence of three new threat groups relevant to CPS defenders. SYLVANITE establishes IT footholds and hands off access to VOLTZITE for deeper OT intrusion operations. PYROXENE targets the United States, Western Europe, and the Middle East and deployed destructive wiper malware against critical infrastructure in a regional conflict context. AZURITE shows OT overlap with Flax Typhoon and has conducted sustained operations across U.S., European, and Asia-Pacific targets. Ransomware groups targeting industrial organizations increased 49% year-over-year, affecting 3,300 organizations globally with operational disruptions.

The trend identified in the Dragos report—adversaries moving beyond pre-positioning to actively mapping control loops and understanding how to manipulate physical processes—is directly illustrated by ZionSiphon’s parameterized targeting of chlorine dose values and pressure set-points in named Israeli water facilities.

Defensive Recommendations

Organizations operating SenseLive X3050 gateways in water, energy, manufacturing, or IT environments should immediately isolate these devices from all untrusted network segments and remove internet exposure. With no vendor patch available and eleven CVEs at CVSS 9.8, network isolation is the only mitigation. Inventory all X3050 deployments; these devices may have been installed as low-visibility data concentrators and forgotten in network documentation.

Organizations using Silex Technology SD-330AC or AMC Manager should apply the vendor patches immediately — SD-330AC firmware 1.50 or later, AMC Manager 5.1.0 or later. Until patching is complete, disable HTTP/HTTPS management services and change all default administrator credentials. Given that approximately 20,000 such devices are internet-exposed per Forescout’s BRIDGE:BREAK research, exposure should be verified through external scanning before relying on internal network surveys alone.

Hardy Barth Salia EV Charge Controller operators should apply the updated firmware immediately and confirm that the management web interface is not reachable from the internet or untrusted internal segments. EV charging infrastructure increasingly connects to building management systems and utility grid endpoints, making controller compromise a potential pivot point into broader building or grid operations.

Organizations running Intrado 911 Emergency Gateway versions 5.x, 6.x, or 7.x should confirm whether Intrado’s March 2026 patch has been applied. If not, immediately restrict network access to EGW management interfaces to authorized PSAP management workstations only.

Water and wastewater utilities should use the ZionSiphon disclosure as an opportunity to verify that Modbus, DNP3, and S7comm protocol traffic from plant networks cannot egress to untrusted segments. Regardless of ZionSiphon’s current operational limitations, the targeting specificity demonstrates that adversaries have mapped the protocols and parameters relevant to chlorination and pressure control in water treatment. Implementing protocol-aware inspection — detecting unexpected Modbus function codes or parameter ranges — provides detection capability against this class of attack.

Zero Motorcycles fleet operators should apply the May 2026 firmware release promptly when available. In the interim, ensuring that motorcycles are not left in pairing mode in publicly accessible environments reduces the window of Bluetooth exposure.

Medical device manufacturers with active or pending FDA submissions should review the April 15 guidance update and ensure cybersecurity is addressed within design controls under ISO 13485 Clause 7.3. The 30-day Coordinated Vulnerability Disclosure timeline requirement represents a new operational commitment that organizations without existing CVD programs will need to establish before submission. Manufacturers operating legacy devices that cannot meet modern security requirements should assess redesign timelines proactively given the FDA’s stated intent to intensify post-market auditing.

For the Iranian PLC campaign, the fundamental mitigation remains unchanged: Rockwell/Allen-Bradley PLCs must not be directly internet-reachable. Any EtherNet/IP device accessible from outside the plant network should be treated as potentially compromised, with project files reviewed for unauthorized modifications and HMI displays cross-validated against independent sensor readings.

News Summary week 17, 2026