News Summary week 22, 2026

CISA’s May 28 advisory batch exposed critical flaws in EV chargers, maritime recorders, and a cardiac monitor, while a pre-authentication RCE in GNU Inetutils telnetd puts legacy OT systems at significant risk.
threat-intelligence
ICS
CPS
automotive
medical-devices
Published

May 30, 2026

Executive Summary

A concentrated burst of eight CISA advisories on May 28 highlighted the breadth of CPS exposure heading into summer, touching maritime safety systems, OT serial converters, EV charging infrastructure, building automation, and a wearable cardiac monitor — several with CVSS scores of 9.8 and no vendor patch available. Separately, a newly disclosed pre-authentication remote code execution flaw in GNU Inetutils telnetd (CVE-2026-32746, CVSS 9.8) affects legacy Linux-based PLCs, SCADA gateways, and embedded OT equipment that still expose Telnet on port 23. The EV charging sector drew particular scrutiny after XCharge C6 fast chargers were found to carry three simultaneous critical flaws, including an unsigned firmware update path and default administrative credentials. On the policy front, CISA launched its “CI Fortify” initiative, directing critical infrastructure operators to prepare manual fallback procedures for cyber-induced outages — a signal that the agency views a significant disruption event as a near-term planning reality.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of May 22 – May 29, 2026

Critical Alerts & Advisories

The largest single-day advisory release of the week came on May 28, when CISA published eight ICS and medical device advisories spanning sectors from maritime transportation to oil and gas. The most consequential from a patch-availability standpoint was the advisory covering the Jinan USR IOT Technology USR-W610 RS232/485-to-Wi-Fi/Ethernet converter (CVE-2026-7786, CVSS 9.8). The W610 is widely deployed in OT environments to bridge legacy serial devices onto IP networks, and its firmware version 7.03T.07 stores plaintext administrative credentials in an extractable location within the firmware image. CISA coordinated disclosure with the vendor, which did not respond, and no patch exists. The recommended mitigation is immediate network segmentation to prevent untrusted hosts from reaching affected converters — a reminder that supply-chain dependencies on small industrial networking vendors can leave operators with no remediation path.

The Welker OdorEyes XL4 gas odorization controller (CVE-2026-24790, CVSS 9.8) received attention earlier in the week. The XL4 manages the injection of odorant into natural gas distribution networks, and its web interface permits complete authentication bypass for any network-adjacent attacker on versions prior to firmware 4.2.1. Successful exploitation allows an attacker to disable gas leak detection, manipulate odorant injection rates, tamper with logs, and pivot further into connected ICS. Welker released firmware 4.2.1 as the fix. The severity is amplified by the safety function the device performs: natural gas distribution without proper odorant levels is a public safety hazard, not merely a data loss event.

Maritime infrastructure appeared in the advisory set via the MacGregor Voyage Data Recorder G4e, an IMO-mandated black-box system required on large commercial vessels. The advisory revealed that units running firmware below V5.250 ship with hardcoded default administrative credentials, with no enforced password change on first login. Danelec released firmware V5.250 to address the authentication bypass. The KMW CCTV security camera advisory (CVE-2026-5386, CVSS 9.1) described an unauthenticated password reset that allows a remote attacker to set the admin password to a known value — the 60-day disclosure window expired with no vendor patch, and CISA recommends treating the cameras as untrusted until replacement.

GNU Inetutils telnetd (CVE-2026-32746, CVSS 9.8) was flagged by Dream Security Labs this week as a pre-authentication remote code execution vulnerability affecting all versions through 2.7. The overflow resides in the LINEMODE SLC suboption handler and triggers before the login prompt, meaning an unauthenticated attacker with TCP access to port 23 can achieve root-level code execution. The vulnerability is present in Debian, Ubuntu, RHEL, and SUSE packages, but its most significant CPS dimension is the broad population of PLCs, SCADA gateways, and embedded OT devices that run GNU userland and still expose Telnet as their sole remote management interface. Operators with legacy equipment that cannot be patched should isolate port 23 at the network boundary immediately.

ABB’s EIBPORT V3 KNX building automation controller (CVE-2021-22291, CVSS 8.0) also appeared in the May 28 batch, with a cross-site scripting flaw stemming from improper session management in firmware below 3.9.2. Exploitation allows an attacker to access sensitive device information and alter building automation configurations. ABB released firmware 3.9.2 to remediate. Schneider Electric’s EcoStruxure Machine Expert HVAC (CVE-2026-6332) rounded out the building automation findings, with source code stored in cleartext in versions prior to 1.10.0, exposing sensitive configuration logic to any attacker with filesystem access.

Automotive CPS Security

The most significant automotive CPS advisory this week targeted the XCharge C6 DC fast charger, a public infrastructure component increasingly integrated into utility grid-management programs. CISA’s advisory documented three separate critical vulnerabilities, each scoring 9.8 on CVSS. The first is an unsigned firmware update mechanism: the charger accepts and installs arbitrary firmware images without cryptographic signature verification, allowing an attacker with network access to the management interface to replace operating firmware entirely. The second is a stack-based buffer overflow in the charging controller’s signal-processing logic that can be triggered via the physical connector interface to achieve code execution with elevated privileges. The third is the presence of default administrative credentials on the remote management service, accessible through the charging connector interfaces themselves. No patch timeline has been provided by XCharge. In aggregate, the three flaws create a scenario where a single compromised charger can be turned into a persistent attack platform, and at sufficient scale, synchronized manipulation of grid-integrated chargers carries potential implications for local distribution stability.

The Automotive ISAC’s May 2026 community call included an analysis of the Pwn2Own Automotive 2026 findings from Tokyo earlier this year. Researchers documented 76 unique zero-day vulnerabilities across the event, with nearly 40% targeting in-vehicle infotainment systems and Android Automotive OS. The dominant vulnerability classes were authentication bypasses, command injection, and memory safety errors — a pattern consistent with the broader OT vulnerability landscape. EV charger infrastructure, which appeared as a competition category for the first time, saw multiple teams achieve full device compromise. The analysis identified 265 unique automotive-specific vulnerabilities in the first quarter of 2026, a 28% increase over the final quarter of 2025.

Medical Device CPS Security

The Frontier X2 wearable cardiac monitor manufactured by Fourth Frontier received a CISA medical device advisory (ICSMA-26-148-01, CVE-2026-5768, CVSS 8.8) on May 28. The device continuously measures heart rate, breathing rate, and physical strain, transmitting telemetry to a companion mobile application over Bluetooth Low Energy. The vulnerability is a missing authentication requirement on the BLE interface: any attacker within Bluetooth range can connect to the monitor without pairing or authorization, allowing injection of fabricated health readings into the mobile app or denial of service to the device. Fourth Frontier is developing a fix; interim guidance instructs users to use only the official application and maintain single-device connection protocols. The severity is elevated by the device’s clinical context — fabricated cardiac readings presented to a user or caregiver could influence medical decisions.

RunSafe Security’s 2026 Medical Device Cybersecurity Index, released April 29 and widely analyzed through the first week of May, continues to inform the week’s discussion. The index found that 53% of connected medical devices carry known unpatched vulnerabilities and that 22% of healthcare organizations experienced at least one cyberattack targeting medical devices in the reporting period, with 80% of those attacks causing patient care disruption. The FDA’s updated 2026 premarket cybersecurity guidance, which requires machine-readable SBOMs, a Security Risk Management Report, and integration of cybersecurity into quality management systems aligned with ISO 13485, provides the regulatory backdrop against which these numbers will increasingly be evaluated.

Water & Wastewater Sector

CISA Acting Director Nick Andersen announced the “CI Fortify” initiative during the final week of May, directing critical infrastructure operators — with particular emphasis on water utilities and transportation systems — to prepare formal plans for operating through cyber-induced outages. The core guidance asks operators to rehearse transition to manual operations, proactively disconnect OT from third-party and business networks during elevated geopolitical risk periods, and verify that critical system configurations are documented and backed up in offline form. The announcement is notable not only for its operational specificity but for its timing: CISA has shed approximately one-third of its workforce in recent budget cycles, and the “CI Fortify” framing implicitly acknowledges that the agency’s own capacity to respond to simultaneous multi-sector incidents has diminished. The message to operators is to build resilience internally rather than rely on federal response capacity.

GAO testimony delivered May 21 before the House Subcommittee on Environment (report GAO-26-109159) reinforced the structural nature of water sector risk: EPA has no cybersecurity risk assessment requirements for wastewater systems or many drinking water systems, OT equipment in municipal utilities is aging, and the sector’s financial structure makes it difficult to prioritize cybersecurity investment against competing regulatory water quality requirements. Iranian-affiliated threat group CyberAv3ngers — whose ongoing exploitation of Rockwell Automation PLCs via CVE-2021-22681 was covered in detail last week — continues to operate against water system targets, with gas station automatic tank gauge infrastructure also remaining in scope.

Energy & Power Grid

The ABB PCM600 protection and control IED manager (ICSA-26-120-02) remains relevant this week as operators work through patch compatibility challenges introduced by the fix for CVE-2018-1002208 — a Zip Slip path traversal via SharpZipLib that affects PCM600 versions 1.5 through 2.13. PCM600 is used by power grid engineers to configure protection relays and IEDs, meaning a malicious ZIP archive routed through normal engineering workflows could achieve code execution on the workstations that directly manage grid-critical equipment. ABB released version 2.14 and PCM600 3.1 SP4 to address the issue, but OT patch validation cycles mean many sites are still mid-deployment.

Schneider Electric’s EcoStruxure Panel Server advisory from May 12 (CVE-2026-6866, CVSS 8.2) continues to be operationally relevant as field teams conduct patching. The Panel Server devices — models PAS400, PAS600, PAS800 and variants — are used for power monitoring at substations and industrial facilities, and the vulnerability causes credentials to revert to factory defaults under certain rare circumstances, allowing unauthorized authentication. Versions 002.005.000 and prior are affected.

Manufacturing & Industrial

Forescout’s 2026 OT/ICS vulnerability tracking data provides useful context for the week’s advisory volume: 2025 produced 508 ICS advisories covering 2,155 CVEs, with 82% rated high or critical severity — the first time the average CVSS score for ICS advisories exceeded 8.0. The growth in advisory density reflects both increasing researcher focus on OT systems and improving vendor disclosure practices, but Forescout also flags a widening visibility gap in which many device vulnerabilities are not tracked in CISA advisory databases at all, leaving asset owners without reliable patch awareness signals.

The Fuji Electric Tellus SCADA platform advisory (ICSA-26-132-01, CVE-2026-8108, CVSS 7.8) from May 12 remains within the active patching window. A kernel driver installed by Tellus 5.0.2 grants overly permissive read/write access, allowing a local attacker to escalate from standard user to SYSTEM privileges — a meaningful risk in OT environments where HMI workstations are often shared or accessed by contractors.

Threat Intelligence Highlights

Iranian-affiliated CyberAv3ngers activity against U.S. critical infrastructure continued to draw interagency attention through the final days of May. A May 20 analysis from the Foundation for Defense of Democracies characterized the group’s current operational posture as deliberately targeting Secure-by-Design shortcomings — default credentials, missing authentication, unencrypted protocols — rather than expending sophisticated zero-days. This assessment aligns with the technical profile of recent confirmed incidents: ATG systems compromised via default passwords, Rockwell PLCs accessed through CVE-2021-22681’s authentication bypass rather than novel exploitation. The FDD analysis urged that the appropriate U.S. response is accelerating adoption of secure-by-design procurement requirements for critical infrastructure components, arguing that hardened defaults would foreclose the majority of observed Iranian footholds without requiring defenders to keep pace with adversary tooling.

Subnet Solutions PowerSYSTEM Center (ICSA-26-132-02), used for power system SCADA and control, carries a CRLF injection vulnerability in its email notification component that enables sensitive information exposure across versions spanning the 2020, 2024, and 2026 product lines. The breadth of affected versions — from 5.8.x through 7.0.x — reflects the typical OT upgrade lag where security patches must be validated against operational constraints before deployment, leaving long exposure windows.

Defensive Recommendations

Organizations operating XCharge C6 EV chargers should isolate them from IT networks and the public internet until the vendor releases a signed firmware update; the combination of unsigned firmware updates and default credentials makes these devices high-priority targets. Any OT or embedded system still running GNU Inetutils telnetd should have port 23 blocked at the network perimeter immediately, and where patching to version 2.8 or later is not feasible, Telnet should be replaced by SSH as the sole permitted management channel. Operators using USR-W610 serial converters should treat them as permanently unpatched and enforce strict network segmentation, allowing only specifically authorized source IPs to reach the management interface.

For the Welker OdorEyes XL4, gas distribution operators should apply firmware 4.2.1 immediately and audit web interface exposure; systems controlling odorant injection should never be reachable from general-purpose corporate networks. Healthcare organizations deploying the Fourth Frontier Frontier X2 should review BLE connection policies and apply mobile app updates to Android versions 15.0.0 or above and iOS versions 25.0.0 or above as soon as the vendor releases the authenticated BLE fix.

Water utilities that have not begun “CI Fortify” planning should treat CISA’s announcement as a prompt to document manual operating procedures, identify which OT systems can be safely isolated during a connectivity loss event, and test that isolation procedures do not create safety hazards. Reviewing third-party remote access paths into OT networks — and having a plan to revoke them quickly — is the highest-priority step for organizations that have not yet completed that analysis.

Sources Referenced

CISA Advisories (May 28, 2026 – ICSA-26-148 series)

  • ICSA-26-148-01 MacGregor VDR G4e: https://windowsnews.ai/article/cisa-advisory-icsa-26-148-01-macgregor-vdr-g4e-vulnerable-to-admin-takeover-urgent-patching-required.420551
  • ICSA-26-148-02 USR-W610 (CVE-2026-7786): https://windowsnews.ai/article/cisa-flags-critical-hard-coded-credentials-flaw-in-usr-w610-industrial-converter.420533
  • ICSA-26-148-03 ABB EIBPORT (CVE-2021-22291): https://www.assurantcyber.com/blog/icsa-26-148-03/
  • ICSA-26-148-06 KMW CCTV (CVE-2026-5386): https://windowsnews.ai/article/cisa-alert-critical-unauthenticated-password-reset-flaw-in-kmw-cctv-cameras-icsa-26-148-06.420548
  • ICSA-26-148-08 XCharge C6 EV Charger: https://windowsnews.ai/article/cisa-warns-xcharge-c6-ev-chargers-have-3-critical-flaws-cvss-98.420545
  • ICSMA-26-148-01 Fourth Frontier Frontier X2 (CVE-2026-5768): https://vulnerability.circl.lu/vuln/icsma-26-148-01

May 12 ICS Patch Tuesday

  • Siemens / Schneider Electric advisories overview: https://www.securityweek.com/ics-patch-tuesday-new-security-advisories-from-siemens-schneider-cisa/
  • Schneider EcoStruxure Panel Server (CVE-2026-6866): https://vulnerability.circl.lu/vuln/sevd-2026-132-04

Threat Research

  • CVE-2026-32746 GNU Inetutils telnetd (Dream Security Labs): https://industrialcyber.co/threats-attacks/dream-security-flags-critical-rce-vulnerability-in-gnu-inetutils-telnetd-exposing-ics-and-ot-systems/
  • CVE-2026-24790 Welker OdorEyes XL4: https://windowsnews.ai/article/cve-2026-24790-critical-ics-vulnerability-in-welker-odoreyes-xl4-threatens-critical-infrastructure.402623
  • ABB PCM600 Zip Slip (CVE-2018-1002208): https://windowsnews.ai/article/abb-pcm600-zip-slip-flaw-fix-cve-2018-1002208-or-face-ot-patch-compatibility-issues.415937
  • Forescout OT/ICS vulnerability trends 2026: https://industrialcyber.co/threats-attacks/forescout-flags-spike-in-high-severity-ot-ics-flaws-exposing-visibility-gaps-that-leave-critical-infrastructure-at-risk/

Policy & Government

  • CISA “CI Fortify” initiative: https://federalnewsnetwork.com/cybersecurity/2026/05/cisa-tells-critical-organizations-to-prepare-for-cyber-outages/
  • GAO-26-109159 water sector testimony: https://www.gao.gov/products/gao-26-109159
  • FDD analysis – Iranian CyberAv3ngers: https://www.fdd.org/analysis/2026/05/20/u-s-needs-to-upgrade-critical-infrastructure-to-counter-iranian-hackers/
  • CISA/FBI/NSA joint advisory AA26-097A (CyberAv3ngers): https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a

Automotive

  • Pwn2Own Automotive 2026 – Automotive ISAC analysis: https://automotiveisac.com/community-calls/may-2026
  • Pwn2Own zero-day summary: https://cyberpress.org/zero-day-bugs-at-pwn2own/

Medical Devices

  • RunSafe Security 2026 Medical Device Cybersecurity Index: https://www.businesswire.com/news/home/20260429787733/en/RunSafe-Security-Releases-2026-Medical-Device-Cybersecurity-Index
  • FDA 2026 updated premarket cybersecurity guidance: https://fedtechmagazine.com/article/2026/03/fda-tightens-its-medical-device-cybersecurity-guidance-perfcon

OT Threat Landscape

  • Dragos 2026 OT/ICS Year in Review: https://www.dragos.com/ot-cybersecurity-year-in-review
  • Waterfall Threat Report 2026: https://industrialcyber.co/reports/waterfall-threat-report-2026-finds-ransomware-slowdown-masks-deeper-shift-toward-nation-state-attacks-on-critical-infrastructure/