Friday, July 17, 2026

CISA Adds 2 FortiGuard Vulnerabilities to KEV Catalog – 7-16-26

Yesterday, CISA announced that it had added two OS command injection vulnerabilities in the FortiGuard FortiSandbox product to the Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2026-25089 – This vulnerability was previously reported by FortiGuard in June. FortiGuard has new versions that mitigate the vulnerability. 

CVE-2026-39808 – This vulnerability was previously reported by FortiGuard in April. FortiGuard has a new version that mitigates the vulnerability. The vulnerability was originally reported by Samuel de Lucas Maroto from KPMG Spain. Proof-of-concept code was published by Samu DeLucas on April 15th, 2026. 

CISA has directed federal agencies using the FortiSandbox product to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. A compliance deadline of July 19th, 2026 has been established. 

Chemical Transportation Incidents – Week of 6-13-26

Reporting Background 

See this post for explanation, with the most recent update here (removed from paywall). 

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency. 

Incidents Summary  

• Number of incidents – 559 (515 highway, 42 air, 2 rail, 0 water) 

• Serious incidents – 6 (5 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 2 fire/explosion, 58 no release)  

• Largest container involved – 24,387-gal DOT 117J100W Railcar {Gasoline Includes Gasoline Mixed with Ethyl Alcohol, with Not More Than 10% AlcoholManway bolt not tool tight. 

• Largest amount spilled – 21,250-gal DOT 111A100W1 Railcar {Elevated Temperature Liquid, N.O.S., At or Above 100 C And Below Its Flash Point (Including Molten Metals, Molten Salts, Etc.)} Derailment during switching operations punctured tank. 

• Total amount reported spilled in all incidents – 3305.7-gal 

NOTE: Links above are to Form 5800.1 for the incident described. 

Most Interesting Chemical: Potassium Permanganate: A purplish colored crystalline solid. Noncombustible but accelerates the burning of combustible material. If the combustible material is finely divided the mixture may be explosive. Contact with liquid combustible materials may result in spontaneous ignition. Contact with sulfuric acid may cause fire or explosion. Used to make other chemicals and as a disinfectant. (Source: CameoChemicals.NOAA.gov).  



Short Takes – 7-17-26 - Federal Register Edition

Regulatory Relief for Certain Stationary Sources To Promote American Chemical Manufacturing Security. Presidential Proclamation  

Pipeline Safety: Joint Meeting of the Gas and Liquid Pipeline Advisory Committees. PHMSA meeting notice. Summary: “This notice announces a joint public meeting of the Technical Pipeline Safety Standards Committee, also known as the Gas Pipeline Advisory Committee (GPAC), and the Technical Hazardous Liquid Pipeline Safety Standards Committee, also known as the Liquid Pipeline Advisory Committee (LPAC). The meeting will be held virtually to discuss 13 notices of proposed rulemaking (NPRMs) covering topics such as special permit conditions, in-plant piping, incidental gathering lines, coating damage assessments, atmospheric corrosion, class change pressure tests, maximum allowable operating pressure (MAOP) reconfirmation, operator identification notifications, limitations on welding operators, remote monitoring valves, property damage definition, right-of-way patrols, and reporting deadlines. 

Release of Draft Integrated Science Assessment To Support the Review of the Primary National Ambient Air Quality Standards for Oxides of Nitrogen. EPA notice of availability. Summary: “The U.S. Environmental Protection Agency (EPA) is making available for public review the draft document titled, Integrated Science Assessment for Oxides of Nitrogen—Health Criteria, External Review Draft (“draft ISA”). This document was prepared as part of the current review of the primary (health-based) national ambient air quality standards (NAAQS) for oxides of nitrogen. The draft ISA will be available on or about July 15, 2026. 

OMB Approves FCC Part 15 Devices in Space NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking from the Federal Communications Commission (FCC) on “Operation of Part 15 Devices in Space (ET Docket 25-XXX)”. The NPRM was submitted to OIRA on June 11th, 2026. 

According to the 2026 Unified Agenda entry for this rulemaking 

“As space launches and satellite deployment continue to increase, companies with space-based operations are increasingly looking to expand capacity, reduce cost, and increase the utility of their operations.  The increase in space launches, coupled with the growing diversity of non-satellite spacecraft, has resulted in a growing need to support communication in space and between Earth and space. To meet this growing need, the Commission begins this proceeding to explore unlicensed device use in space.” 

The ‘Part 15’ references electronic transmission devices covered under 47 CFR Part 15, devices that “may be operated without an individual license.” {§15.1(a)} 

I do not expect to cover this NPRM in any detail, but as part of my limited Space Geek coverage, I will at least include notification of the publication in the appropriate Short Takes post. 

Thursday, July 16, 2026

Review – 9 Advisories Published – 7-16-23

Today CISA’s NCCIC-ICS published nine control system security advisories for products from Rockwell Automation (5), SALTO, Siemens, AutomationDirect, and NASA. I also look at eight other new advisories published by Siemens this week. 

Advisories  

Rockwell Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Rockwell FactoryTalk DataMosaix. 

Rockwell Advisory #2 - This advisory describes a double free vulnerability in the Rockwell Flex 5000 Adapter. 

Rockwell Advisory #3 - This advisory describes three vulnerabilities in multiple Rockwell product lines. 

Rockwell Advisory #4 - This advisory describes an improper validation of integrity check value vulnerability in the Rockwell 1756-EN2, 1756-EN3, and 1756-ENBT products. 

Rockwell Advisory #5 - This advisory describes four vulnerabilities in the Rockwell Arena product. 

SALTO Advisory - This advisory describes an authorization bypass through user-controlled key vulnerability in the SALTO ProAccess Space product. 

Siemens Advisory - This advisory describes four vulnerabilities in the Siemens SICAM 8 product line. 

AutomationDirect Advisory - This advisory describes six vulnerabilities in the AutomationDirect Productivity Suite. 

NASA Advisory  This advisory describes a NULL pointer dereference vulnerability in the NASA Core Flight System (cFS) Health & Safety (HS) Application. 


For more information on these advisories, as well as a listing of eight other Siemens advisories published this week, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/9-advisories-published-7-16-23 - subscription required. 

 
/* Use this with templates/template-twocol.html */