Full Report
[Control systems] CISA ICS security advisories (AV26-297)
Analysis Summary
The following summary covers the CISA ICS Security Advisories (AV26-297) released between March 23 and 29, 2026.
# Vulnerability: Multiple Vulnerabilities in Industrial Control Systems (AV26-297)
## CVE Details
*Note: Due to the high number of advisories in this aggregate report, the primary CVEs are listed below.*
- **CVE IDs:** Various (e.g., CVE-2026-21820, CVE-2026-30245, CVE-2026-10542)
- **CVSS Scores:** Range from **7.5 (High)** to **9.8 (Critical)**
- **CWEs:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-79 (XSS), CWE-89 (SQL Injection), CWE-287 (Improper Authentication).
## Affected Systems
- **Grassroots DICOM (GDCM):** Version 3.2.2
- **Pharos Controls Mosaic Show Controller:** Firmware version 2.15.3
- **OpenCode Systems OC Messaging and USSD Gateway:** Version 6.32.2
- **PTC Windchill PLM:** Multiple versions and models
- **Schneider Electric EcoStruxure Foxboro DCS:** Versions prior to CS8.1
- **Schneider Electric Plant iT/Brewmaxx:** Version 9.60 and above
- **WAGO GmbH & Co. KG Industrial Managed Switches:** Multiple firmware versions
## Vulnerability Description
This collection of advisories addresses several critical security flaws across maritime, manufacturing, energy, and medical sectors:
- **GDCM:** Improper input validation leading to potential remote code execution (RCE).
- **Pharos Controls:** Hardcoded credentials and insecure firmware update mechanisms.
- **Schneider Electric:** Vulnerabilities in the Foxboro DCS related to unauthorized access and potential denial-of-service (DoS) via crafted network packets.
- **OpenCode Systems:** Flaws in USSD gateways allowing for potential message interception or unauthorized configuration changes.
## Exploitation
- **Status:** Not exploited in the wild (as of report date); PoCs are available for certain Schneider Electric and WAGO components.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Most vulnerabilities are remotely exploitable)
## Impact
- **Confidentiality:** High (Risk of data theft and credential exposure)
- **Integrity:** High (Risk of unauthorized setpoint changes in DCS)
- **Availability:** High (Risk of system crashes or equipment lockout)
## Remediation
### Patches
- **Schneider Electric:** Upgrade Foxboro DCS to version CS8.1 or higher.
- **Pharos Controls:** Apply firmware patch v2.16.x or newer as specified in vendor bulletin.
- **GDCM:** Update to version 3.2.3 (or latest stable branch).
- **WAGO:** Consult the WAGO PSIRT for specific switch firmware updates corresponding to your hardware model.
### Workarounds
- Minimize network exposure for all control system devices; ensure they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required.
## Detection
- **Indicators of Compromise:** Unusual administrative login attempts, unexpected system reboots, or unauthorized modifications to PLC/DCS configurations.
- **Detection Methods:** Monitor ICS network traffic for non-standard protocols on management ports. Utilize industrial IDS (Intrusion Detection Systems) to flag known signatures listed in CISA advisories.
## References
- CISA ICS Advisories: hxxps[://]www[.]cisa[.]gov/news-events/cybersecurity-advisories
- Canadian Centre for Cyber Security: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-cisa-ics-security-advisories-av26-297
- Schneider Electric Security: hxxps[://]www[.]se[.]com/ww/en/work/support/cybersecurity/security-notifications[.]jsp