Review – Public ICS Disclosures – Week of 1-24-26 – Part 2

For Part 2 we have six additional vendor disclosures from dormakaba (3), Splunk, and WatchGuard (2). We have bulk vendor updates from Broadcom (7). There are six additional vendor updates from HP, HPE (3), Palo Alto Networks, and VMware. We also have a researcher report on vulnerabilities in products from IDIS. Finally, we have an exploit for products from Advantech.

Advisories

Dormakaba Advisory #1 - Dormakaba published an advisory that describes 12 vulnerabilities in their Access Manager product.

Dormakaba Advisory #2 - Dormakaba published an advisory that describes seven vulnerabilities in their Kaba exos 9300 systems.

Dormakaba Advisory #3 - Dormakaba published an advisory that describes a debug messages revealing unnecessary information vulnerability in their registration Unit 9002 Generation K5.

Splunk Advisory - Splunk published an advisory that discusses an improper handling of length parameter inconsistency vulnerability (with publicly available exploits, listed in CISA’s KEV catalog) in their Enterprise product.

WatchGuard Advisory #1 - WatchGuard published an advisory that discusses a privilege escalation vulnerability in their Mobile VPN with IPSec client for Windows.

WatchGuard Advisory #2 - WatchGuard published an advisory that describes an LDAP injection vulnerability in their Fireware OS product.

Bulk Vendor Updates – Broadcom

• Brocade Fabric OS (10.x and 9.2.x Releases) Vulnerability Disclosures,

• OS command injection vulnerability in OpenSSH (CVE-2023-51385),

• Brocade ASCG Vulnerability Disclosures,

• Brocade SANnav Vulnerability Disclosures,

• CVE-2023-31928 - XSS vulnerability in Brocade Webtools,

• Potential Denial of Service exploit in Net-SNMP 5.8 through 5.9.3, and

• Linux Kernel Vulnerable to Dangling Pointer via Garbage Collector Racing Against Connect() in AF_UNIX Module.

Bulk Vendor Updates – Hitachi Energy

• Cybersecurity Advisory - Reboot Vulnerability in Hitachi Energy Relion 670/650 and SAM600-IO series products,

• Cybersecurity Advisory - Improper Input Validation Vulnerability in Hitachi Energy’s Relion® 670/650/SAM600-IO series Product,

• Cybersecurity Advisory - OpenSSL Vulnerabilities in Hitachi Energy’s Relion® 670, 650, SAM600-IO series Product,

• Cybersecurity Advisory - Update package validation Vulnerability in Hitachi Energy’s Relion® 670, 650 and SAM600-IO Series Products, and

• Cybersecurity Advisory - IEC 61850 MMS-Server Vulnerability in Hitachi Energy’s Relion® 670, 650 series and SAM600-IO Products.

Updates

HP Update - HP published an update for their Intel Ethernet I219 Software advisory that was originally published on February 11^th, 2025, and most recently updated on April 24^th, 2025.

HPE Update #1 - HPE published an update for their OneView Software advisory that was originally published on December 17^th, 2025, and most recently updated on December 26^th, 2025.

HPE Update #2 - HPE published an update for their Aruba Networking Virtual Intranet Access advisory that was originally published on January 13^th, 2026.

HPE Update #3 - HPE published an update for their Aruba Networking AOS-8 advisory that was originally published on January 13^th, 2026.

Palo Alto Networks Update - PAN published an update for their GlobalProtect Gateway and Portal advisory that was originally published on January 14^th, 2026, and most recently updated on January 16^th, 2026.

VMware Update - Broadcom published an update for the VMware vCenter Server advisory that was originally published on June 17^th, 2024.

Researcher Reports

IDIS Report - Claroty published a report that describes an argument injection vulnerability in the IDIS ICM Viewer.

Exploits

Advantech Exploit - Indoushka published an exploit for an SQL Injection vulnerability in the Advantech IoTSuite and IoT Edge products.

 

For more information about these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-2c5 - subscription required.

Short Takes – 1-31-26 – Federal Register Edition

Hazardous Materials: Request for Feedback on Hazmat Transportation Risks: Heavy-Duty Electric Vehicles Versus Internal Combustion Engine Motor Carriers. Federal Register PHMSA request for information. Summary: “The Pipeline and Hazardous Materials Safety Administration (PHMSA) seeks public input on the safety risks, operational challenges, and regulatory considerations associated with transporting hazardous materials (hazmat) using heavy-duty electric vehicles (EVs) compared to internal combustion engine (ICE) motor carriers (i.e., gas or diesel). PHMSA aims to understand what impact the transition from ICE to EV motor carriers may have on hazmat packaging integrity, transportation safety, emergency response protocols, regulatory compliance, and overall vehicle risk. PHMSA may use the information gathered to develop a statement of work for further research into the safety of transporting hazardous materials in EVs.”

Categorical Exclusion for Advanced Nuclear Reactors. Federal Register DOE categorical exception notice. Summary: “The U.S. Department of Energy (DOE or the Department) is establishing a categorical exclusion for authorization, siting, construction, operation, reauthorization, and decommissioning of advanced nuclear reactors for inclusion in its National Environmental Policy Act (NEPA) implementing procedures. DOE is including the categorical exclusion in the component of its NEPA implementing procedures that it maintains outside of the Code of Federal Regulations. The new categorical exclusion is based on the experience of DOE and other Federal agencies, current technologies, regulatory requirements, and accepted industry practice.”

Best Practices Webinar Series Presented by the National Center of Excellence for Liquefied Natural Gas Safety. Federal Register PHMSA webinar notice. Summary: “The National Center of Excellence for Liquefied Natural Gas Safety (National LNG Center) will host a series of informational webinars on best practices for LNG safety, titled “Prioritizing Safety: Best Practices in LNG.” The webinars are free, will be hosted virtually, and will require advance registration. The series will be held monthly using Zoom. Each webinar will be one hour in length and will be recorded. The National LNG Center will provide electronic access to all materials, including recordings, transcripts, and presentations, after conclusion of each webinar. The webinars will cover a different best practice each session.”

Clearance of Renewed Approval of Information Collection: Small Unmanned Aircraft Registration System. Federal Register FAA 30-day ICR renewal notice. Summary: “In accordance with the Paperwork Reduction Act of 1995, FAA invites public comments about our intention to request the Office of Management and Budget (OMB) approval to renew an information collection. The Federal Register Notice with a 60-day comment period soliciting comments on the following collection of information was published on September 23, 2025. The collection involves inputting minimal information into a database to register small, unmanned aircraft. Aircraft registration is necessary to ensure personal accountability among all users of the National Airspace System (NAS). Aircraft registration also allows the FAA and law enforcement agencies to address non-compliance by providing the means for identifying an aircraft's owner and operator. This collection also permits individuals to de-register or update their record in the registration database.”

EO 14377 - Addressing State and Local Failures to Rebuild Los Angeles After Wildfire Disasters. Federal Register.

EO 14378 - Continuance of the Federal Emergency Management Agency Review Council. Federal Register.

PHMSA Publishes 60-day Renewal Notice for 7 Hazmat ICRs

Yesterday DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (91 FR 4172-4178) for seven hazardous materials ICRs. According to the notice: “PHMSA has revised burden estimates, where appropriate, to reflect current reporting levels or adjustments based on changes in proposed or final rules published since the information collections were last approved.”

The seven ICRs include:

Inspection and Testing of Portable Tanks and Intermediate Bulk Containers (2137-0018),

Hazardous Materials Incident Reports (2137-0039),

Rail Carrier and Tank Car Tanks Requirements, Rail Tank Car Tanks—Transportation of Hazardous Materials by Rail (2137-0559),

Testing Requirements for Non-Bulk Packaging (2137-0572),

Hazardous Materials Public Sector Training and Planning Grants (2137-0586),

Cargo Tank Motor Vehicles in Liquefied Compressed Gas Service (2137-0595), and

Inspection and Testing of Meter Provers (2137-0620).

NOTE: The first link for each ICR is for the description of the collection in yesterday’s notice. The last link is to the currently approved ICR record.

The table below shows the burden estimate for both this renewal notice and the currently approved ICR.

 

There is no explanation for the large change in the burden estimates for 2137-0559 in yesterday’s notice. Comparing the detailed burden information in the notice with the Supporting Document that PHMSA provided to OIRA for the current ICR, there are six information collections missing from the notice:

• Hazardous Materials Train Consist Additional Information (Class I, II, III Railroads) - Section 174.26 (131,042 responses and 10,876 hrs),

• Notification of Hazardous Materials Accidents or Incidents - Class I, II, II Railroad - Section 174.26 (491 responses and 122.75 hrs),

• Creation of Test Records for Emergency System Notification Test (Class I, II, III) – Section (658 responses and 1438 hrs),

• Retention of Test Records for Emergency System Notification Test – Section 174.28(b) (758 responses and 63 hrs),

• Creation of Class III alternative emergency response information plan – Section (388 responses and 1,552 hrs), and

• Retention of Class III alternative emergency response information plan (Retention Only) – Section (388 responses and 32 hrs).

These may have been moved to new ICR. We will be able to tell for sure when PHMSA submits the renewal request to OIRA after the 30-day ICR notice is published.

PHMSA is soliciting public comments on this ICR renewal. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #PHMSA-2026-0199). Comments should be submitted by March 31^st, 2026.

Review – Bills Introduced – 1-30-26

Yesterday, with just the Senate in Washington and the House meeting in pro forma session, there were 43 bills introduced. Two of the bills may receive additional coverage in this blog:

HR 7285 To amend the Homeland Security Act of 2002 to authorize the use of certain financial assistance for vehicle security enhancement upgrades, and for other purposes. Gonzales, Tony [Rep.-R-TX-23] 

HR 7294 To study the impacts of artificial intelligence technology with respect to the security of telecommunications networks, and for other purposes. Menendez, Robert [Rep.-D-NJ-8] 

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

HR 7273 NASA Reauthorization Act of 2026.  Babin, Brian [Rep.-R-TX-36]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-30-26 - subscription required.

Review – Public ICS Disclosures – Week of 1-24-26 – Part 1

This is a moderately busy disclosure week. We have bulk vendor disclosures from Broadcom (48). There are also 14 other vendor disclosures from B&R (2), Beckhoff (2), Dell, Dassault Systems (2), Hanwha Vision, Hitachi, Hitachi Energy (3), HPE, and Siemens.

Bulk Vendor Disclosures – Broadcom

• Nessus detected vulnerability in the Brocade OVA base image (CVE-2025-21991),

• The DisableForwarding directive does not fully adhere to the intended functionality as documented (CVE-2025-32728),

• Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service,

• Curl vulnerabilities detected in SANnav images (CVE-2025-4947, CVE-2025-5025) ,

• DoS due to improper input validation vulnerability in Apache Tomcat - CVE-2024-24549,

• Spring Framework DoS (CVE-2024-38808, CVE-2024-38809 and CVE-2024-22262),

• Oracle Java SE Updates (July 2025),

• Multiple Vulnerabilities in Node.js (Wednesday, May 14, 2025 Security Releases). Nessus Plugin ID 236766,

• Low-level invalid GF(2^m) parameters lead to OOB memory access,

• Multiple Vulnerabilities in Apache Kafka,

• Postgres vulnerabilities (CVE-2025-8713, CVE-2025-8714, CVE-2025-8715),

• libcurl's ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 (CVE-2024-7264) ,

• PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation,

• Vulnerability in OpenSSH when the VerifyHostKeyDNS option is enabled (CVE-2025-26465),

• Rocky Linux Updates applied to SANnav (CVE-2024-3661, CVE-2024-11187, CVE-2024-12797) ,

• A malicious rsh server can overwrite arbitrary files in a directory on the rcp client machine,

• xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak,

• Multiple Linux Security Updates applied to Brocade Fabric OS 10.0,

• The x509 application adds trusted use instead of rejected use,

• libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time,

• MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64,

• In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c,

• Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses,

• GNU tar mishandled extension attributes in a PAX archive,

• This flaw allows a malicious HTTP server to set "super cookies" in curl,

• Glib GVariant deserialization fails to validate input,

• A heap out-of-bounds read flaw was found in builtin.c in the gawk package,

• Scan discovered multiple CVEs against glibc,

• Null pointer dereference found in openldap,

• A denial of service vulnerability exists in curl,

• An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0,

use-after-free and memory corruption,

• A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation,

• The allocate_structures function insufficiently checks bounds before arithmetic multiplication,

• Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem,

• Brocade SANnav DataBase password in plain text is logged in failover logs (CVE-2025-12680),

• Plaintext Switch admin login password is seen in Brocade SANnav support save (CVE-2025-12772) ,

• Plain password is logged in the audit logs while executing update-reports-purge-settings.sh script with Brocade SANnav before 2.4.0a (CVE-2025-12773),

• SQL queries with sensitive information printed in logs with Brocade SANnav before 3.0 (CVE-2025-12774),

• Information disclosure in Brocade Fabric OS before 9.2.1c2, 9.2.2 through 9.2.2a and 10.0.0 (CVE-2026-0383),

• Privilege escalation in Brocade Fabric OS before 9.2.1c3, and 9.2.2 though 9.2.2b (CVE-2025-9711),

• Directory transversal vulnerability in Brocade Fabric OS before 9.2.1 using grep command (CVE-2025-58380),

• Plain text pbe key visible in audit log during Brocade SANnav migration from 2.4.0a to 3.0.0 (CVE-2025-12679),

• Directory transversal vulnerability in Brocade Fabric OS before 9.2.1c2 and 9.2.2 through 9.2.2a using various shell commands (CVE-2025-58381),

• Password Exposure in Brocade Fabric OS before 9.2.1 (CVE-2025-58379),

• Privilege escalation in Brocade Fabric before 9.2.1c2 and 9.2.2 through 9.2.2a (CVE-2025-58382),

• Privilege escalation via bind command in Brocade Fabric OS (CVE-2025-58383),

• Undertow-core: undertow http server fails to reject malformed host headers leading to potential cache poisoning and ssrf (CVE-2025-12543).

Advisories

B&R Advisory #1 - B&R published an advisory that discusses the PixieFail vulnerabilities.

B&R Advisory #2 - B&R published an advisory that describes an insertion of sensitive information into log file vulnerability.

Beckhoff Advisory #1 - CERT-VDE published an advisory that describes three vulnerabilities in the Beckhoff Device Manager.

Beckhoff Advisory #2 - CERT-VDE published an advisory that describes a cross-site scripting vulnerability in the Beckhoff TwinCAT 3 HMI Server.

Dell Advisory - Dell published an advisory that discusses an improper handling of length parameter inconsistency vulnerability (with publicly available exploits) in their Wyse Management Suite.

Dassault Advisory #1 - Dassault published an advisory that describes a heap-based buffer overflow vulnerability in SOLIDWORKS eDrawings.

Dassault Advisory #2 - Dassault published an advisory that describes an out-of-bounds write vulnerability in their SOLIDWORKS eDrawings.

Hanwha Advisory - Hanwha published an advisory that describes five vulnerabilities in multiple Wisenet cameras from Hanwha.

Hitachi Advisory - Hitachi published an advisory that discusses to allocation of  resources without limit or throttling vulnerabilities in their Cosminexus Component Container.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses the BlastRadius-Fail vulnerability in their FOX61x products.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses the BlastRadius-Fail vulnerability in their XMC20 products.

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory that describes the use of default credentials vulnerability in their SuprOS products.

HPE Advisory - HPE published an advisory that describes three vulnerabilities in their Aruba Fabric Composer product.

Siemens Advisory - Siemens published an advisory that discusses 51 vulnerabilities in their SINEC OS based products.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-2c6 - subscription required.

Review – Bills Introduced – 1-29-26

Yesterday, with just the Senate in Washington, there were 36 bills introduced. One of those bills may receive additional coverage in this blog:

S 3741 A bill to require the Secretary of Commerce to promulgate regulations to improve nucleic acid synthesis security, and for other purposes. Cotton, Tom [Sen.-R-AR] 

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-29-26 - subscription required.

HR 7148 Fails Cloture Vote – Last FY 2026 Minibus

Yesterday the Senate continued their efforts to pass HR 7148, the Consolidated Appropriations Act, 2026. The Senate voted on the first cloture vote to “to proceed to consideration of H.R. 7148”, the first of potentially three such votes before the bill would actually be voted upon. That vote, as many people expected, failed by a vote of 45 to 55. All of the Democrats voted Nay as did eight Republican; Thune changed his vote to Nay hen the original vote failed as a procedural move.

The Democrats, including Sen Fetterman (D,OH) who had earlier vowed to vote for the bill, expressing their concerns about recent immigration related actions in Minnesota. The seven Republican opposed the bill on entirely separate, fiscally related grounds. It is not clear that they would have voted against the bill if ten Democrats had voted for the bill, allowing for the 60-votes necessary for passage of the bill.

It appears that a deal has been worked out to approve five of the six spending bills included in HR 7148 and to provide a to eek continuing resolution for the DHS portion of the bill. That would allow the Senate and House to iron out ICE/CBP reform language to be included in the final DHS spending bill.

One last roadblock was thrown up last night. Sen Graham (R,SC) vowed to block unanimous consent to bypass the remaining cloture votes (essentially shutting down consideration in the Senate) over a provision the House included in the bill to disallow Senators from suing DOJ over their wiretaps on Senator’s phones. A deal is still being worked out to overcome that problem. A reconsideration vote for that cloture motion is scheduled for 11:00 am EDT.

If the Senate approves an amended version of HR 7148 today, the government will still technically shut down at midnight since the House is not expected to take up that version of the bill until Monday. While the President has signaled his support for the change, it is not yet clear that the revised bill can pass in the House.