CISA Adds Sonic Wall Vulnerability to KEV Catalog – 12-17-25

Yesterday CISA announced that it had added a missing authorization vulnerability in the SonicWall SMA CISA Adds Sonic Wall Vulnerability to KEV Catalog – 12-17-25. SonicWall issued their advisory on this vulnerability yesterday. They note that the vulnerability was reported by Clément Lecigne and Zander Work of Google Threat Intelligence Group. That advisory also reports that two other unpatched vulnerabilities are necessary for exploit of the missing authorization vulnerability by unauthorized actors. SonicWall has a new platform hotfix that mitigates this vulnerability.

CISA has required that all federal agencies utilizing this SonicWall product to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable”. The deadline for those actions is December 24^th, 2025.

CSB Provides Update on the Austin Powder Investigations – 12-17-25

This morning the Chemical Safety Board published an update on their investigation in to two NOx releases at Austin Powder facilities in Ohio and Tennessee. The update provides a brief description of both release incidents and outlines the ongoing work being done to determine the root cause of the releases.

CISA Adds FortiGuard Vulnerability to KEV Catalog – 12-16-25

Yesterday CISA announced that they had added an improper verification of cryptographic signature vulnerability in multiple FortiGuard products to their Known Exploited Vulnerabilities (KEV) catalog. FortiGuard previously disclosed the vulnerability along with mitigation measures and new versions that fixed the vulnerability. Three days later Arctic Wolf reported exploits of the vulnerability (along with a related improper verification vulnerability that is not yet been added to the KEV catalog) in the wild.

CISA had directed federal agencies using the affected FortiGuard products to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. A deadline of December 23^rd, 2025 has been provided for those actions.

Review – Bills Introduced – 12-15-25

On Monday, with both the House and Senate in session, there were 44 bills introduced. This post is a day late because of a delay in publishing the listing of 25 of the 28 bills introduced in the House on December 15th. One of those bills may receive additional attention in this blog:

S 3481 A bill to expand the authority to use counter-unmanned aircraft system technologies to State, local, Tribal, and territorial law enforcement and correctional agencies, and for other purposes. Peters, Gary C. [Sen.-D-MI]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a brief mention in passing about a national counterterrorism strategy for schools bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-12-15-25 - subscription required.

Reader Comment – API & ASME CSB Responses

Yesterday William Sommer, MBA, PE left a comment on LinkedIn on my note about my blog post on the CSB’s video on the Yenkin-Majestic Resin Plant Vapor Cloud Explosion and Fire. He asked:

“I was struck by one of the recommendations for the API and ASME to provide design, construction, alteration guidance for low pressure vessels in flammable or highly hazardous chemical service: Does anyone know status and where to find?”

I have no insight into the status of the development of the design criteria within the American Petroleum Institute (API) and the American Society of Mechanical Engineers (ASME). I can, however, provide a little more information on the CSB’s take on the status of these recommendations; the data comes from the CSB’s Recommendations Statistics page and the September 23^rd, 2025, downloadable spread sheet on that page. Both recommendations were issued on November 30^th, 2023. The table below summarizes the pertinent data about the two recommendations.

 

 

The text of the API recommendation:

“Develop specific design, construction, and alteration guidance for low-pressure process vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig in API 510 Pressure Vessel Inspection Code, API RP 572 Inspection Practices for Pressure Vessels, and/or other appropriate products. At a minimum, include guidance for:  (i) determining and documenting the low-pressure vessel’s design pressure (such as through a data sheet and a nameplate affixed to the vessel); (ii) determining when or if all or parts of the ASME Boiler and Pressure Vessel Code should be applied; (iii) acceptable alternative engineering methods, if applicable; and, (iv) alteration requirements, such as design assessments, inspections, and pressure testing.”

The text of the supporting ASME recommendation:

“Assist API in developing design, construction, and alteration guidance for low-pressure vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig. If any new design and construction guidance is specifically developed for pressure vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig, reference the design and construction guidance in the Section VIII, Division 1 of the ASME Boiler and Pressure Vessel Code (BPVC).”

Even with a reasonable degree of consensus on the need for standards changes, it takes some time to develop, write and reach consensus on these sorts of things. It does seem to me that two years is not an unreasonable amount of time to be working on such a standard.

If anyone has any information on if/how progress is being made within API or ASME, please let me know.

Review – 4 Advisories and 3 Updates Published – 12-16-25

Today CISA’s NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric, Hitachi Energy, Johnson Controls, and Güralp Systems. They also updated advisories for products from Fuji Electric, Johnson Controls, and Mitsubishi Electric.

Advisories

Mitsubishi Advisory - This advisory describes a cleartext storage of sensitive information vulnerability in the Mitsubishi GT Designer3 products.

Hitachi Energy Advisory - This advisory discusses the BlastRadius-Fail vulnerability.

NOTE: I briefly discussed this vulnerability on November 1^st, 2025.

Johnson Controls Advisory - This advisory describes four vulnerabilities in the Johnson Controls PowerG, IQPanel and IQHub products.

Güralp Advisory - This advisory describes an allocation of resources without limit or throttling vulnerability in the Güralp Fortimus, Minimus, and Certimus product series.

Updates

Fuji Update - This update provides additional information on the Fuji Monitouch V-SFT-6 advisory that was originally published on November 4^th, 2025.

Johnson Controls Update - This update provides additional information on the Johnson Controls iSTAR Ultra advisory that was originally published on August 12^th, 2025.

Mitsubishi Update - This update provides additional information on the Mitsubishi GENESIS advisory that was originally published on May 20^th, 2025, and most recently updated on August 28^th, 2025.

I briefly discussed this update on August 9^th, 2025.

For more information on these advisories, including a brief description of the CISA advisory format change, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-3-updates-published - subscription required.

Review - HR 3435 Introduced – Federal Cyber Workforce Training

Back in May Rep Fallon (R,TX) introduced HR 3435, the Federal Cyber Workforce Training Act of 2025. The bill would require the National Cyber Director to formulate a plan for the establishment of a federal cyber training institute. It does not authorize the actual establishment of the institute, that would require subsequent legislation. The bill specifically does not authorize new spending.

This bill is essentially the same as to HR 9520 that was introduced by Fallon in September 2024. No other action was taken on HR 9520 in the 118^th Congress.

Moving Forward

Fallon is a member of the House Oversight and Accountability Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. With new spending being prohibited, I see nothing in this bill that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support, perhaps enough that it could be considered under the suspension of the rules process.

Commentary

While the proposed institute is not a cybersecurity institute, all cyber work roles should include some level of cybersecurity responsibilities. I think it would be helpful to delineate a responsibility for the institute to establish a minimum level of cybersecurity training for all cyber personnel. To that end, I would like to suggest the insertion of a new §2(b)(2)(C):

“(C) establish a common skill level cybersecurity curriculum for all entry level positions and a more advanced cybersecurity training program for personnel transitioning to mid-career level positions;”

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3435-introduced-federal-cyber - subscription required.