Executive Summary
OT/ICS risk is elevated this week driven by multiple, concurrent perimeter-access threats and direct OT exploitation reports. Active advisories detail: state-linked campaigns leveraging covert SOHO/IoT proxy networks and edge-device CVEs for pre-positioning; widespread Fortinet FortiGate credential exposure enabling VPN ingress; actively exploited authentication bypass in Check Point VPN (IKEv1) and a high-risk PAN‑OS GlobalProtect auth bypass; and confirmed Iranian-affiliated exploitation against internet-exposed PLCs causing operational impact. Additional OT-adjacent risks include an unpatched, end‑of‑life OpenPLC v3 runtime RCE path, exploited PLM/UC vulnerabilities added to CISA KEV, supply-chain compromises in npm, and destructive wiper capabilities.
Priority over the next 72 hours: close remote-access gaps (VPN/auth bypass, credential reuse), remove any direct internet exposure of PLCs/HMIs and VNC, apply vendor fixes for actively exploited KEV items, hunt for evidence of compromise on edge devices and identity providers, and stage compensating controls where patching is constrained.
Key Findings
- Perimeter VPN exposure is the dominant risk vector (Fortinet FortiGate credential leaks; Check Point IKEv1 auth bypass under active exploitation; PAN‑OS GlobalProtect auth bypass).
- Direct OT exploitation confirmed: Iranian‑affiliated actors targeted Allen‑Bradley PLCs leading to operational disruption across multiple sectors.
- Nation‑state pre‑positioning via compromised SOHO/IoT infrastructure and network edge devices increases the likelihood of high‑impact operations against CNI.
- OpenPLC v3 (EOL) allows authenticated file‑write to RCE via legacy upload workflow; upgrade path to v4 is recommended.
- Supply‑chain and developer environment risk rising (npm typosquat campaign with CI profiling; web CMS/AI workflow KEV additions; Trend Micro Apex One exploited for code distribution).
Threat Dashboard
Top Five Priority Threats
- Iranian‑affiliated exploitation of internet‑exposed PLCs (Allen‑Bradley) — Immediate removal of internet exposure; brokered access with MFA; enforce controller Run mode; deploy OT IDS. Source: CISA AA26‑097a.
- Fortinet FortiGate credential exposure “FortiBleed” — Rotate all FortiGate/admin/VPN creds; enforce MFA and PBKDF2‑supported FortiOS; hunt for config exports and unauthorized VPN logins. Source: JPCERT-AT-2026-0019.
- Check Point VPN IKEv1 auth bypass (CVE‑2026‑50751) — actively exploited — Disable IKEv1; patch per vendor; require device certs/MFA; hunt for unauthorized sessions. Source: JPCERT-AT-2026-0016.
- PAN‑OS GlobalProtect auth bypass (CVE‑2026‑0265) — Patch/mitigate CAS‑enabled interfaces; restrict portal access; monitor anomalous VPN logins. Source: JPCERT-AT-2026-0015.
- China‑nexus covert SOHO/IoT proxy networks & router compromises — Patch edge CVEs; harden AAA/SNMP; monitor Covert‑Net C2 patterns; validate firmware integrity; coordinated eviction. Sources: CISA AA26‑113a, CISA AA25‑239a.
OT/ICS Relevance Assessment
- Direct OT impact documented against PLCs (logic access, setpoint manipulation, alarm suppression) with multi‑sector operational consequences.
- Perimeter VPN/auth gaps provide the most likely IT‑to‑OT pivot into engineering workstations, HMIs, and historian networks.
- OpenPLC v3 runtime risk is intrinsic to control runtime integrity; compromise could alter control logic or enable native code execution on OT hosts.
- ICS vendor advisories (relays, UPS management, energy planning tools) expand reconnaissance and disruption windows if unmanaged.
- Supply‑chain compromises and identity phishing (device_code flow) threaten build systems and admin identities that manage OT gateways.
Threat Actor Activity
- PRC‑linked operations leveraging compromised edge/consumer devices and router implants for espionage and pre‑positioning (Volt Typhoon/related TTPs).
- Iran‑affiliated groups targeting internet‑exposed PLCs and OT HMIs with known tooling and ports (44818, 2222, 102, 502, 22).
- Pro‑Russia hacktivists opportunistically abusing exposed VNC/HMIs to alter process parameters and disrupt operations.
- RaaS “The Gentlemen” expanding via Fortinet VPN credential abuse; rapid lateral movement and encryption risk.
- Scattered Spider case updates reinforce identity/social engineering TTPs (SIM swap, vishing) relevant to SSO/MFA defenses.
Vulnerability and CVE Watch
- Actively exploited (KEV): Adobe ColdFusion path traversal; Joomla extensions (JoomShaper, Joomlack, iCagenda, Balbooa Forms) and Langflow auth issues; PTC Windchill/FlexPLM and Cisco UCM SSRF.
- OT/ICS: OpenPLC v3 authenticated file write to RCE (upgrade to v4); Schneider Electric PowerChute Serial Shutdown multi‑flaw; Schneider MiCOM Px40 SNMP info‑disclosure; Hitachi Energy PROMOD V HTTP cleartext.
- Enterprise perimeters: PAN‑OS GlobalProtect (CVE‑2026‑0265); Check Point IKEv1 auth bypass (CVE‑2026‑50751); Exchange and SharePoint KEV activity in recent cycles.
- Identity/OIDC: OpenIDC liboauth2 SSRF and DPoP verification flaws (pre‑2.3.0) can aid internal reconnaissance and token misuse.
- Patch tempo: Vendors accelerating releases (Cisco, Mozilla, Adobe, Oracle, Google); anticipate heavier Patch Tuesday load from AI‑discovered vulns.
Affected Vendors & Technologies
Affected Sectors
- Energy, Water/Wastewater, Transportation Systems, Manufacturing, Government Services and Facilities.
- Healthcare and Communications (adjacent exposure via VPN/identity and UPS/UC tools).
- Telecommunications/backbone providers targeted for routing and traffic manipulation (pre‑positioning risk to downstream OT).
TTPs and MITRE ATT&CK Observations
- Initial access: Exploit Public‑Facing Application (T1190); Valid Accounts (T1078); Authentication Bypass (CWE‑287); VPN abuse.
- Persistence/Privilege: Web Shell (T1505.003); Abuse of AAA/TACACS+/RADIUS; Driver abuse to disable security; LOTL (PowerShell, schtasks, WMI).
- Command & Control: Covert proxies via SOHO/IoT; multiplexed tunnels; residential proxies/botnets (origin masking).
- Discovery/Lateral: Credential dumping (LSASS/DPAPI); SSRF from identity components; device_code OAuth abuse; SQL xp_cmdshell pivot.
- ICS ATT&CK: Modify Program (T0847); Manipulation of Control (T0831); Inhibit Response Function (T0803); Alarm Suppression (T0878).
Defensive Mitigation Priorities
- Remote access hardening: Require phishing‑resistant MFA for all VPN/admin; disable legacy IKEv1; restrict portals by IP and device certificates; eliminate direct internet exposure of PLCs/HMIs/VNC.
- Edge device hygiene: Patch KEV‑listed and vendor CVEs; lock down AAA/SNMPv3; restrict management planes to out‑of‑band networks; monitor config diffs, SPAN/PCAP/tunnels.
- Identity controls: Conditional Access for device_code; limit OAuth consent; rotate keys/tokens; enforce least privilege and PAM for AD/IdP; monitor for anomalous sign‑ins.
- OT segmentation: Enforce ISA/IEC 62443 zones/conduits; broker OT access via hardened jump hosts; allowlist OT protocols/commands; deploy OT IDS/NDR.
- Patch and compensating controls: Prioritize KEV and perimeter exposures; apply virtual patching/WAF; plan emergency maintenance windows; upgrade OpenPLC v3 to v4.
- Supply‑chain & CI: Enforce package/registry allowlists; disable install‑time scripts in CI; rotate developer/CI credentials; block exfil to known run.app endpoints.
- Resilience: Maintain offline/immutable backups of HMI/PLC logic and configs; test restoration; prepare rapid isolation runbooks for wiper/ransomware events.
Next 72‑Hour Outlook
- Emergency actions: Disable IKEv1 on Check Point; apply mitigations for PAN‑OS CAS auth bypass; rotate and enforce MFA on FortiGate VPN and admin accounts; remove any internet‑exposed PLCs/VNC immediately.
- Hunt operations: Review VPN logs for anomalous sessions; search for router/edge persistence (ACL changes, on‑box PCAP, strange management ports); hunt webshells on public apps named in KEV.
- Change control: Schedule out‑of‑cycle patching for KEV items (PTC, Cisco UCM; ColdFusion; Joomla/Langflow components); stage rollbacks and test in staging for OT‑adjacent systems.
- Detection uplift: Add detections for OAuth device_code sign‑ins; ScreenConnect/AnyDesk misuse; driver installation events; raw disk write attempts; residential‑proxy traffic patterns.
Event Cards — Escalate (Action Required)
Iranian‑Affiliated Actors Exploit Internet‑Exposed PLCs
ESCALATEConfirmed OT intrusions manipulating Allen‑Bradley PLCs and HMI displays across multiple sectors. Remove exposure; broker access via MFA‑protected jump hosts; set controllers to Run mode; deploy OT IDS.
Fortinet FortiGate Credential Exposure (“FortiBleed”)
ESCALATELeaked/harvested FortiGate credentials in circulation enable unauthorized VPN ingress and AD credential theft. Enforce MFA, rotate creds, upgrade to PBKDF2‑supported FortiOS, hunt for config exports and anomalous logins.
Check Point VPN IKEv1 Auth Bypass (CVE‑2026‑50751) – Active
ESCALATEAuth bypass when IKEv1 is enabled allows unauthorized VPN sessions. Disable IKEv1, patch gateways, require device certificates and MFA, and hunt for unauthorized connections.
PAN‑OS GlobalProtect Auth Bypass (CVE‑2026‑0265)
ESCALATECAS‑enabled login interfaces can be bypassed, risking perimeter compromise. Patch to fixed PAN‑OS versions, restrict portal access, monitor anomalous VPN activity.
China‑Nexus Covert Networks via SOHO/IoT Proxies
ESCALATELarge covert proxy networks used to mask access and pre‑position in CNI. Disable remote admin on SOHO/IoT, patch/replace EoL gear, monitor egress to residential ASNs, and tighten OT segmentation.
Global Router/Edge Compromise for Espionage
ESCALATEMulti‑agency report of PRC APTs exploiting edge CVEs, modifying configs, mirroring traffic, and abusing AAA for persistence across telecom/critical networks. Patch, lock down management planes, rotate TACACS+/RADIUS secrets, audit SPAN/PCAP/tunnels, coordinate eviction.
OpenPLC v3 Runtime — Authenticated File‑Write to RCE
ESCALATELegacy upload workflow enables arbitrary file writes that compile into runtime, leading to code execution. OpenPLC v3 is EOL; upgrade to v4, disable legacy upload paths, enforce MFA/RBAC, and monitor for unexpected compilations.
Actively Exploited: PTC Windchill/FlexPLM, Cisco UCM (KEV)
ESCALATEKEV adds exploited flaws in manufacturing PLM and UC systems. Patch immediately, restrict exposure, add WAF/egress rules, and assess for pre‑patch compromise per BOD 26‑04.
Ransomware “The Gentlemen” — Fortinet VPN Abuse
ESCALATERapidly growing RaaS using Fortinet SSL‑VPN credentials for initial access; fast lateral movement and mass encryption. Enforce MFA, rotate creds, patch FortiOS, segment IT/OT, and validate offline backups.
npm Supply‑Chain: Install‑Time CI/Dev Profiling Campaign
ESCALATETyposquatted packages exfil host/CI metadata to Cloud Run, enabling targeted follow‑on intrusion. Enforce registry/package allowlists, disable install scripts in CI, rotate developer/CI credentials, and block run.app beacons.
Trend Micro Apex One — Exploited Server‑Side Flaw
ESCALATEActive exploitation of path traversal enabling abused agent distribution and privilege escalation. Patch servers/agents, restrict exposure, verify integrity, and monitor agent task distributions.
Destructive “GigaWiper” Platform
ESCALATEModular Golang backdoor/wiper with raw disk wiping and irreversible encryption; threatens HMI/engineering workstation availability. Elevate EDR protections, monitor raw disk access, harden backups, and prepare rapid isolation.
Pro‑Russia Hacktivists Target Exposed VNC/HMIs
ESCALATEOpportunistic attacks change setpoints, suppress alarms, and lock operators out. Remove public VNC, require MFA via VPN/jump host, segment OT networks, and assume compromise if exposure + weak creds detected.
CISA IR Case Study — GeoServer RCE to Multi‑Host Compromise
ESCALATEUnpatched GeoServer CVE exploited for webshells, lateral movement via SQL xp_cmdshell and BITS. Patch GeoServer, hunt webshells, restrict xp_cmdshell, and enforce egress controls.
Event Cards — Monitor (Track and Prepare)
Residential Proxy Botnets and Enforcement
MONITORPopa/Vo1d botnet abused smart TVs/TV boxes for residential proxying; FBI/IRS‑CI seized NetNut infrastructure. Block residential proxy ASNs/domains, segment IoT/TV devices, enforce MFA and rate limits.
IRIS C2 Zero‑Day Brokerage Exposure
MONITORInvestigations tie “IRIS C2” to controversial principals soliciting zero‑day exploits. Heighten mobile hardening for high‑risk users, strengthen vendor due diligence, and monitor for zero‑day exploitation signals.
Web/CMS and AI Workflow — KEV Additions
MONITORActively exploited upload/auth flaws in Joomla extensions (SP Page Builder, Joomlack, iCagenda, Balbooa) and Langflow. Patch/disable components, hunt webshells, restrict admin interfaces, add WAF rules.
ICS Vendor Advisories (Schneider, Hitachi Energy)
MONITORSNMP info disclosure in MiCOM Px40 relays; multi‑flaw in PowerChute Serial Shutdown; PROMOD V cleartext HTTP dependency. Restrict/upgrade SNMP (v3), patch UPS software, enforce TLS for PROMOD/Digipede.
Adobe Acrobat/Reader RCE (APSB26‑63)
MONITORMalicious PDFs can enable code execution; patch to fixed versions; enable Protected View/sandboxing and restrict untrusted PDFs, especially on jump/engineering workstations.
OpenIDC liboauth2 SSRF & DPoP Verification Flaws
MONITORPre‑2.3.0 library issues allow SSRF and weakened DPoP checking. Upgrade to 2.3.0, restrict egress from IdP components, and enforce strict DPoP verification.
OT‑Adjacent Enterprise Web/Doc Threats
MONITOR“Comment stuffing” HTML phishing evades AI/NLP; Exchange spoofing CVE active in the wild; SharePoint deserialization in KEV. Harden email, hunt for credential misuse, and patch Microsoft servers.
Developer/RMM Abuse Campaign (ScreenConnect + AsyncRAT)
MONITORSEO‑poisoned installers deploy ScreenConnect and AsyncRAT via DLL sideloading. Constrain RMMs near OT, enable EDR rules for process hollowing, and block MSI/script execution from untrusted paths.
Patch Cadence Acceleration & Windows Update Volume
MONITORVendors increasing security release tempo (Cisco, Mozilla, Adobe, Oracle, Google; Microsoft warns larger Patch Tuesdays). Prepare risk‑based patching and OT staging windows.
Kaspersky ICS CERT Q1‑2026 Telemetry
MONITOROverall declines with regional spikes (Southern Europe, Russia, SE Asia). Harden email/web for ICS users, isolate internet access, and enforce allowlisting on HMIs/EWS.
CISA Keys Exposure Post‑Mortem (Cloud/IaC Hygiene)
MONITORGovCloud keys briefly exposed by contractor code upload. Reinforce OIDC‑based federation, pre‑commit secret scanning, strong logging, and rapid key rotation playbooks.
Event Cards — Ignore (No Action)
Low‑detail OS/browser advisories and vendor PR items
IGNOREGeneric Chrome/SUSE/FreeBSD notices without CVEs or technical depth; trade press/vendor announcements with no threat intel value.
Source References
Clickable sources are also embedded within each event card. Key references include:
- CISA advisories and KEV updates: AA26‑097a; AA26‑113a; AA25‑239a; AA25‑343a; AA25‑266a; KEV entries (2026‑06‑25; 2026‑07‑01; 2026‑07‑07; 2026‑07‑10); ICS advisories ICSA‑26‑190‑01/02/03; ICSA‑26‑188‑02.
- JPCERT/CC alerts: AT‑2026‑0014/0015/0016/0017/0018/0019.
- KrebsOnSecurity investigations: Popa/NetNut; IRIS C2; Patch Tuesday; Scattered Spider; The Gentlemen.
- Kaspersky Securelist: ICS CERT Q1‑2026; ScreenConnect/AsyncRAT campaign; Device code phishing analysis.
- CERT Polska disclosures: MyComplianceOffice; R‑SOFT DMS; OpenIDC liboauth2; GNU patch; mtr; SOPlanning.
- heise Security coverage: Zero‑day policy debates; patch cadence changes; international law‑enforcement operations.
- Infosecurity Magazine: GigaWiper; Microsoft patch/AI trends; SharePoint/driver abuse reporting.
- SANS ISC diaries: “Comment stuffing” HTML phishing evasion.