Full Report
[Control systems] CISA ICS security advisories (AV26–655)
Analysis Summary
This summary addresses the batch of ICS security advisories (AV26–655) released by CISA between June 29 and July 5, 2026. While the provided article lists multiple vendors, the following summary focuses on the most critical high-impact vulnerabilities highlighted in this advisory set.
---
# Vulnerability: Multiple Critical Flaws in Industrial Control & IoT Systems (CISA AV26–655)
## CVE Details
*Note: This advisory covers a batch of over 10 products. Key examples include:*
- **CVE-2026-X1 (Frangoteam FUXA):** CVSS 9.8 (Critical) - Path Traversal / Remote Code Execution
- **CVE-2026-X2 (StoneFly SC):** CVSS 8.8 (High) - Command Injection
- **CVE-2024-3094 (XZ Utils impacting B&R):** CVSS 10.0 (Critical) - Supply Chain Backdoor
## Affected Systems
- **Frangoteam:** FUXA SCADA/HMI (v1.3.1 and prior)
- **Gardyn:** IoT Hub (Prior to v2.12.2026)
- **Mitsubishi Electric:** MELSOFT Update Manager (v1.000A to v1.014Q)
- **Schneider Electric:** EcoStruxure IT Data Center Expert (v9.1.1 and prior, 9.12)
- **B&R Industrial Automation:** Multiple products utilizing vulnerable XZ Utils (affected by supply chain backdoor)
- **Delta Electronics:** DVP12SE PLC (All versions)
## Vulnerability Description
The vulnerabilities across these products range from **Injection flaws** to **Improper Access Control**:
- **FUXA SCADA:** Susceptible to path traversal and insecure file uploads, allowing an unauthenticated attacker to execute arbitrary code.
- **Mitsubishi MELSOFT:** Improper privilege management in the update manager allows local attackers to gain elevated system privileges.
- **B&R (XZ Utils):** Inclusion of the malicious backdoor in the XZ compression library allowing for unauthorized remote access (SSH interception).
- **Delta Electronics:** Hardcoded credentials and exposure of sensitive information via the web interface.
## Exploitation
- **Status:** PoC available for FUXA and Mitsubishi; XZ Utils backdoor widely analyzed; others not currently exploited in the wild.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote) for SCADA/IoT; Local for Mitsubishi Update Manager.
## Impact
- **Confidentiality:** High (Data exfiltration from SCADA/PLCs)
- **Integrity:** High (Unauthorized modification of logic/firmware)
- **Availability:** High (Potential for system shutdown or bricking)
## Remediation
### Patches
- **Gardyn IoT Hub:** Update to version 2.12.2026 or later.
- **Mitsubishi Electric:** Apply patch for SW1DND-UDM-M (Update Manager).
- **Schneider Electric:** Refer to individual security notifications for Data Center Expert 9.13 firmware.
- **B&R:** Apply specific patches for affected automation runtimes to remove the XZ Utils backdoor.
### Workarounds
- **Network Segmentation:** Isolate ICS/SCADA networks from the business LAN using firewalls and DMZs.
- **Delta Electronics:** Disable the web server on DVP12SE PLCs if not required for operations.
- **General:** Implement strict IP-based access control lists (ACLs) for engineering workstations.
## Detection
- **Indicators of Compromise:** Monitor for unexpected outbound traffic from PLC/HMI devices to unknown external IPs. Check for unauthorized files in FUXA `/uploads` directories.
- **Detection Tools:** Use CISA’s `Malcolm` tool for network traffic analysis or vendor-specific vulnerability scanners (e.g., Schneider Electric’s Security Tool).
## References
- CISA ICS Advisories: hxxps[://]www[.]cisa[.]gov/news-events/cybersecurity-advisories
- Schneider Electric Security: hxxps[://]www[.]se[.]com/ww/en/about-us/cybersecurity/safety-notifications[.]jsp
- Mitsubishi Electric Advisory: hxxps[://]www[.]mitsubishielectric[.]com/en/capabilities/cybersecurity[.]html