CISA warns of critical flaws across industrial control systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a batch of advisories on June 30 warning operators of industrial control systems (ICS) and connected medical equipment to patch a series of flaws, several rated critical, that unauthenticated attackers can reach over a network. The advisories span manufacturing, energy, water, healthcare, and IT sectors, and affect gear deployed worldwide.

The most serious bugs

Top of the list is StoneFly Storage Concentrator, where CISA flags a maximum severity 10.0 issue. The appliance ships with hardcoded credentials stored in an encoded form that can be reversed to plaintext, exposing database, replication, and licensing accounts, alongside OS command injection and SQL injection flaws (CVE-2026-50110, CVE-2026-56415, CVE-2026-55721). StoneFly has released fixed firmware.

Close behind, Delta Electronics DVP12SE programmable logic controllers (PLCs) expose a Modbus TCP service with no authentication (CVE-2026-12819, rated 9.8), letting anyone who can reach the device read and write coils, registers, and control logic. Delta is still preparing a fix and recommends enabling the PLC's IP filter and password protection in the meantime.

A third critical flaw hits the widely used OFFIS DCMTK medical imaging toolkit (CVSS 9.8), where a malicious server can force a client to write files outside its chosen directory and remote attackers can leak memory or crash services (CVE-2026-50003 and related issues). A vendor fix is available via the project's latest release.

SCADA, RTUs, and supply chain

CISA also warned of an authentication bypass in Frangoteam FUXA, an open source SCADA/HMI platform, where dot-segment paths such as /api/./users slip past the login check and return user and role data without credentials (CVE-2026-13207); upgrading to FUXA 1.3.2 closes it. Additional advisories cover Mitsubishi Electric's MELSOFT Update Manager (a bundled 7-Zip component, CVE-2025-11001 among others), Schneider Electric's EcoStruxure IT Data Center Expert (an XXE data disclosure bug) and its EasyLogic T150 and Saitel DP RTUs (exposed credentials), and B&R industrial products carrying the XZ Utils decompression flaw CVE-2025-31115.

What operators should do

CISA's standing guidance applies: apply the vendor fixes where available, keep control systems off the public internet, and place them behind firewalls and segmented from business networks, so that flaws reachable from any network source cannot be triggered remotely. Unauthenticated, network exploitable bugs in PLCs and SCADA software are exactly the kind of weakness that hostile crews have used against critical infrastructure before, as with the IRGC-linked CyberAv3ngers campaign against Unitronics PLCs.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions