Full Report
[Control systems] CISA ICS security advisories (AV26–620)
Analysis Summary
Given the broad nature of the CISA ICS advisory update (AV26–620), which covers multiple vendors and products, I have consolidated the information into a high-level summary. This batch of advisories primarily targets critical infrastructure components including medical devices, industrial controllers (PLCs), and monitoring software.
# Vulnerability: CISA ICS security advisories (AV26–620) Consolidated Summary
## CVE Details
*Note: Due to the volume of advisories in this period (June 15–21, 2026), specific CVEs vary by product.*
- **CVE IDs:** Multiple (Refer to individual CISA advisories for specific IDs)
- **CVSS Scores:** Range from **7.5 (High)** to **10.0 (Critical)**
- **CWEs:** Commonly includes CWE-287 (Improper Authentication), CWE-121 (Stack-based Buffer Overflow), CWE-79 (Cross-site Scripting), and CWE-20 (Improper Input Validation).
## Affected Systems
- **Medical/Healthcare:** Apollo Pharmacy Blood Glucose Monitoring System (APG-01 BT, v0x0110_v1.1.0).
- **Surveillance/AV:** AVer PTC cameras (PTC500S, PTC115, PTC500+, PTC115+ - all versions).
- **Industrial Software/DAQs:** AzeoTech DAQFactory (prior to 21.1), Rockwell FactoryTalk Analytics/Historian/RSLinx Classic.
- **PLCs and Networking Modules:**
- Mitsubishi Electric MELSEC iQ-F Series (FX5-ENET/IP, FX5-EIP).
- Rockwell Automation 1794-AENTR/XT, CompactLogix, Logix 5370 & 5570.
- Schneider Electric Easergy, EcoStruxture, PowerLogic, and Saitel Products.
## Vulnerability Description
The advisories cover a range of technical flaws typical in ICS environments:
1. **Authentication Bypass/Missing Authentication:** Several Rockwell and Schneider components lack sufficient identity verification, allowing unauthorized configuration changes.
2. **Memory Corruption:** Vulnerabilities in the Mitsubishi and AzeoTech products could allow for remote code execution (RCE) via specially crafted network packets or project files.
3. **Insecure Wireless Protocols:** The Apollo Glucose Monitor exhibits flaws in Bluetooth communication, potentially allowing unauthorized access to patient data.
4. **Command Injection:** AVer cameras are susceptible to OS command injection through web management interfaces.
## Exploitation
- **Status:** Most reported as "Not exploited in the wild" at the time of publication; however, PoCs for older versions of Rockwell/Schneider protocols are often publicly documented.
- **Complexity:** Low to Medium.
- **Attack Vector:** Primarily **Network**. Many of these vulnerabilities can be exploited remotely if the device is exposed to the internet or an untrusted local network.
## Impact
- **Confidentiality:** High (Potential theft of sensitive industrial telemetry or patient health data).
- **Integrity:** High (Ability to modify PLC logic, sensor thresholds, or device configurations).
- **Availability:** Critical (Potential for Denial of Service (DoS) resulting in industrial process stoppage).
## Remediation
### Patches
- **AzeoTech:** Update DAQFactory to version 21.1 or later.
- **Mitsubishi:** Update FX5-EIP firmware to v1.000 or later; for FX5-ENET, apply network isolation.
- **Rockwell Automation:**
- Update 1794-AENTR to V2.012.
- Update RSLinx Classic to 4.50.00.
- Apply latest firmware for Logix 5370/5570.
- **Schneider Electric:** Update EasyLogic T150 and Saitel DP to v11.06.31/11.06.36.
### Workarounds
- **Network Segmentation:** Minimize network exposure for all control system devices. Ensure they are not accessible from the Internet.
- **Firewalling:** Use VPNs for remote access and implement hardware firewalls between Business and ICS networks (DMZ).
- **Physical Security:** For medical devices like the Apollo monitor, ensure physical control over the device and paired smartphones.
## Detection
- **Indicators of Compromise:** Unusual industrial protocol traffic (EtherNet/IP, Modbus), unexpected device reboots, or unauthorized configuration changes in log files.
- **Detection Methods:** Use ICS-aware Deep Packet Inspection (DPI) tools to monitor for non-standard commands sent to PLCs.
## References
- **CISA ICS Advisories:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories
- **Cyber Centre Alert:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-cisa-ics-security-advisories-av26-620
- **Mitsubishi Electric:** hxxps[://]www[.]mitsubishielectric[.]com/en/capabilities/sustainability/security/index[.]html
- **Schneider Electric Security:** hxxps[://]www[.]se[.]com/ww/en/work/support/cybersecurity/security-notifications[.]jsp