Conference Committee Finishes Final Version of FY 2026 NDAA – S 1071

Yesterday the House Rules Committee updated their meeting notice for their Tuesday meeting to include S 1071 as the vehicle for the final version of FY 2026 National Defense Authorization Act. The Rules Committee web site provides the text of the new NDAA. The Committee will meet tomorrow to formulate the rule for the consideration of the bill. I would expect it to be a closed rule, with limited debate, no further amendments, and a simple majority vote requirement. There should be significant bipartisan support for the bill.

Originally, S 1071 passed in the Senate as “A bill to require the Secretary of Veterans Affairs to disinter the remains of Fernando V. Cota from Fort Sam Houston National Cemetery, Texas, and for other purposes”. According to a press release from Sen Cruz’ office, Cota was a convicted rapist that was interred in the Fort Sam Houston National Cemetery. The text from the Senate passed bill has been included in the final conference version of the bill as §8806.

The bill now includes:

DIVISION E—Department of State Authorization Act for Fiscal Year 2026,

DIVISION F – Intelligence Authorization Act for Fiscal Year 2026,

DIVISION G – Coast Guard Authorization Act of 2025, and

TITLE LXXXVI – Securing the airspace, facilitating emergency response, and safeguarding key infrastructure, entertainment venues, and stadiums.

I will have more details in subsequent posts.

Review – Public ICS Disclosures – Week of 11-29-25 – Part 2

For Part 2 we have 19 bulk disclosures from Splunk (10) and WatchGuard (9). We have two additional vendor disclosures from Wireshark. There are four vendor updates from Advantech, Moxa (2), and VMware. There are ten researcher reports on vulnerabilities in a product from Socomec. Finally, we have two exploits for products from Broadcom and PX4.

Block Disclosures

Bulk Disclosures – Splunk

• SPL commands allowlist controls bypass in Splunk MCP Server app through "run_splunk_query" MCP tool,

• Third-Party Package Updates in Splunk Enterprise - December 2025,

• Improper Input Validation in "label" column field in Splunk Secure Gateway App,

• Blind Server Side Request Forgery (SSRF) through Distributed Search Peers in Splunk Enterprise,

• Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade,

• Incorrect permission assignment on Splunk Enterprise for Windows during new installation or upgrade,

• Stored Cross-Site scripting (XSS) through Anchor Tag "href" in Navigation Bar Collections in Splunk Enterprise,

• Unauthenticated Log Injection in Splunk Enterprise,

• Improper access control through push notifications for reports and alerts in Splunk Secure Gateway app, and

• URL validation bypass through Views Dashboard in Splunk Enterprise

Bulk Disclosures – WatchGuard

• WatchGuard Firebox Boot Time System Integrity Check Bypass,

• WatchGuard Firebox XPath Injection Vulnerability in Web CGI,

• WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Gateway Wireless Controller,

• WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Autotask Technology Integration Configuration,

• WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in ConnectWise Technology Integration Configuration,

• WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Tigerpaw Technology Integration Configuration,

• WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI Ping Command,

• WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI IPSec Configuration,

• WatchGuard Firebox iked Memory Corruption Vulnerability,

• WatchGuard Firebox Authenticated Out of Bounds Write in certd,

Advisories

Wireshark Advisory #1 - Wireshark published an advisory that describes an infinite loop vulnerability (with publicly available exploit) in their MEGACO dissector.

Wireshark Advisory #2 - Wireshark published an advisory that describes an improperly controlled sequential memory allocation vulnerability (with publicly available exploit) in their HTTP3 dissector.

Updates

Advantech Update - Advantech published an update for their WISE-DeviceOn advisory that was originally published on November 18^th, 2025.

Moxa Update #1 - Moxa published an update for their Secure Routers advisory that was originally published on April 2^nd, 2025, and most recently updated on October 27^th, 2025.

Moxa Update #2 - Moxa published an update for their Secure Routers advisory that was originally published on April 2^nd, 2025, and most recently updated on October 27^th, 2025.

VMware Update - Broadcom published an update for their vCenter Server advisory that was originally published on September 21s, 2021, and most recently updated on September 24^th, 2021.

Researcher Reports

Socomec Reports - Cisco Talos published ten reports for 14 vulnerabilities in the Socomec DIRIS Digiware M-70.

Exploits

Broadcom Exploit - Laginimaineb published an exploit for an improper restriction of operations within the bounds of a memory buffer in the Broadcom BCM4355C0 Wi-Fi chips.

PX 4 Exploit - Indoushka published an exploit for a stack-based buffer overflow vulnerability in the PX4 drone autopilot.

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-2dc - subscription required.

Review – CSB Updated the Status of 12 Incident Recommendations – 12-4-25

 Yesterday the Chemical Safety Board (CSB) updated their Recent Recommendation Status Updates page, closing four recommendations with acceptable alternative actions. These actions left 119 of 1025 recommendations open. Additionally, the CSB updated the open status of eight recommendations. The CSB took all of these actions on December 4^th, 2025. The previous update was published on September 6th, 2025.

The four recently closed recommendations are:

• TS USA Molten Salt Eruption - 2024-01-I-TN-R3 - TS USA,

• LyondellBasell La Porte Fatal Chemical Release - 2021-05-I-TX-R1 – Lyondell Basell Industries,

• LyondellBasell La Porte Fatal Chemical Release - 2021-05-I-TX-R2 – Lyondell Basell Industries, and

• Aghorn Operating Inc. Waterflood Station Hydrogen Sulfide Release - 2020-01-I-TX-R7 - Aghorn Operating Inc.

 

For more information on the investigation responses, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updated-the-status-of-12-incident - subscription required.

Chemical Incident Reporting – Week of 11-29-25

NOTE: See here for series background.

Honea Path, S.C– 12-3-25

Local News Report: Here, here, and here.

There was a chlorine leak at a water treatment plant caused by a leaking valve. There are no reports of injuries or damages.

Not CSB reportable.

South Bend, IN – 12-4-25

Local News Report: Here, and here.

There was a small chemical spill in a university lab. Four individuals were evaluated for chemical exposure and released from a local wellness center.

Not CSB reportable.

Cleveland, TN – 12-5-25

Local News Report: Here, here, and here.

There was a chemical leak at a food processing facility. Six people were sent to local hospitals for exposure issues. There is no mention of what chemical is involved.

Possible CSB reportable.

Review – Public ICS Disclosures – Week of 11-29-25 – Part 1

This is a moderately busy disclosure week. We bulk disclosures from HPE (9). We also have nine additional vendor disclosures from CODESYS (3), Hitachi Energy, HP, Medtronic, Meinberg, and Philips (2).

Bulk Disclosures – HPE

• HPESBHF04944 rev.1 - HPE Superdome Flex 280 and Compute Scale-up Server 3200 Platform Servers Using Certain Intel Processors, INTEL-SA-01280, 2025.3 IPU, Intel Chipset Firmware Advisory, Multiple Vulnerabilities,

• HPESBNW04974 rev.1 - HPE Unified OSS Console Assurance Monitoring (UOCAM), Multiple Vulnerabilities,

• HPESBNW04976 rev.1 - HPE Virtualized Telecommunication Management Information Platform (vTeMIP), Multiple Vulnerabilities,

• HPESBNW04972 Rev. 1 - HPE Telco Network Function Virtual Orchestrator, Multiple Vulnerabilities,

• HPESBUX04977 rev.1 - HP-UX Using OpenSSL, Memory Corruption and Remote Code Execution Vulnerabilities,

• HPESBCR04979 rev.1 - HPE Cray XD670 Server Using Certain Intel Processors, INTEL-SA-01280, 2025.3 IPU, Intel Chipset Firmware Advisory, Multiple Vulnerabilities,

• HPESBCR04980 rev.1 - HPE Cray XD670 Server Using Certain Intel Processors, INTEL-SA-01312, Intel TDX Module Advisory, Multiple Vulnerabilities,

• HPESBCR04981 rev.1 - HPE Cray XD670 Server Using Certain Intel Processors, INTEL-SA-01313, 2025.3 IPU, Intel Xeon Processor Firmware Advisory, Multiple Vulnerabilities,

• HPESBCR04982 rev.1 - HPE Cray XD670 Server Using UEFI, Multiple Vulnerabilities.

Advisories

CODESYS Advisory #1 - CODESYS published an advisory that describes an out-of-bounds read vulnerability in their Control runtime system.

CODESYS Advisory #2 - CODESYS published an advisory that describes a type confusion vulnerability in their Control runtime system's CmpVisuServer component.

CODESYS Advisory #3 - CODESYS published an advisory that describes a deserialization of untrusted data vulnerability in their Development System.

Hitachi Energy Advisory - Hitachi Energy published an advisory that discusses a deserialization of untrusted data vulnerability (listed in CISA’s Known Exploited Vulnerability catalog) in their React Server Components.

HP Advisory - HP published an advisory that describes a race condition enabling link following vulnerability in their Image Assistant product.

Medtronic Advisory - Medtronic published an advisory that describes four vulnerabilities in their CareLink Network web application.

Meinberg Advisory - Meinberg published an advisory that discusses three vulnerabilities (one with publicly available exploit) in their LANTIME product.

Philips Advisory #1 - Philips published an advisory that discusses the Meta React Server Components vulnerability that was added to CISA’s KEV catalog.

Philips Advisory #2 - Philips published an advisory that discusses the Vercel NEXT.js vulnerability that is associated with the Meta React Server vulnerability.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-08a - subscription required.

Review - Bills Introduced – 12-4-25

Yesterday, with both the House and Senate in Washington, there were 115 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 6429 To establish in the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security a program to promote the cybersecurity field to disadvantaged communities, including older individuals, racial and ethnic minorities, people with disabilities, geographically diverse communities, socioeconomically diverse communities, women, individuals from nontraditional educational paths, individuals who are veterans, and individuals who were formerly incarcerated, and for other purposes. Brown, Shontel M. [Rep.-D-OH-11]

HR 6460 To amend title 49, United States Code, to clarify exceptions for limited recreational operations of unmanned aircraft, and for other purposes. Mann, Tracey [Rep.-R-KS-1]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a brief look at two anti-scam bills, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-12-4-25 - subscription required.

Chemical Transportation Incidents – Week of 11-1-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 497 (464 highway, 29 air, 4 rail, 0 water)

• Serious incidents – 6 (1 Bulk release, 1 evacuation, 1 injury, 0 death, 1 major artery closed, 5 fire/explosion, 28 no release)

• Largest container involved – 28,480-gal DOT 117J100W Railcar {Petroleum Crude Oil} Manway bolts not tool tight.

• Largest amount spilled – 225-gal Plastic IBC {Sulfuric Acid With Not More Than 51% Acid} IBC fell.

• Total amount reported spilled in all incidents – 1619.7-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Petroleum Crude Oil: A complex mixture of aliphatic and aromatic hydrocarbons containing low percentages of sulfur and trace amounts of nitrogen and oxygen compounds. A black sticky liquid with a strong hydrocarbon odor. (Source: CameoChemicals.NOAA.gov).