Review – Public ICS Disclosures – Week of 2-14-26 – Part 2

For Part 2 we have another set of bulk vendor disclosures from Splunk (11). We have three additional vendor disclosures from Broadcom, and Supermicro (2). There are six vendor updates from Broadcom (2), HP (2), and HPE (2). There is also a researcher reports for vulnerabilities in products from OpenCFD. Finally, we have two exploits for products from FortiGuard and Splunk.

Bulk Vendor Disclosures – Splunk

• Third-Party Package Updates in Splunk DB Connect - February 2026,

• Third-Party Package Updates in Splunk Enterprise - February 2026,

• Third-Party Package Updates in Splunk Universal Forwarder - February 2026,

• Sensitive Information Disclosure in ''_internal'' index in Splunk Enterprise,

• Local Privilege Escalation in Splunk Enterprise for Windows through Python Module Search Path,

• Sensitive Information Disclosure in "_internal" index in Splunk Enterprise,

• Improper Access Control in Splunk Monitoring Console App,

• Local Privilege Escalation (LPE) in Splunk Enterprise for Windows through DLL Search‑Order Hijacking,

•Client-Side Denial of Service (DoS) through ''/splunkd/raw/services/authentication/ users/username'' REST API endpoint in Splunk Enterprise,

• Sensitive Information Disclosure in "_internal" index in Splunk Enterprise,

• Risky Commands Safeguards Bypass through preloaded Data Models due to Path Traversal vulnerability in Splunk Enterprise,

Advisories

Broadcom Advisory - Broadcom published an advisory that discusses an improper use of invalid use of special elements vulnerability in Brocade ASC-Gateway OVA.

Supermicro Advisory #1 - Supermicro published an advisory that discusses 19 vulnerabilities in multiple Supermicro products.

Supermicro Advisory #2 - Supermicro published an advisory that discusses the end-of-life Microsoft Secure Boot CA 2011 that affects multiple Supermicro products.

Updates

Broadcom Update #1 - Broadcom published an update for their Brocade ASCG advisory that was originally published on January 7th, 2025, and most recently updated on January 27^th, 2026.

Broadcom Update #2 - Broadcom published an update for their Brocade SANnav advisory that was originally published on October 14^th, 2024, and most recently updated on July 8^th, 2025.

HP Update #1 - HP published an update for their NVIDIA GPU Display Driver advisory that was originally published on September 25^th, 2025, and most recently updated on December 11^th, 2025.

HP Update #2 - HP published an update for their Intel Graphics Software advisory that was originally published on November 11^th, 2025.

HPE Update #1 - HPE published an update for their StoreEasy Servers advisory that was originally published on February 11^th, 2026.

HPE Update #2 - HPE published an update for their ProLiant AMD DL/XL Servers advisory that was originally published on February 10^th, 2026.

Researcher Reports

OpenCFD Report - Cisco Talos published a report that describes a code injection vulnerability in the OpenCFD OpenFOAM simulation file.

Exploits

FortiGuard Exploit - Indoushka published an exploit for an exposure of sensitive information to an unauthorized actor vulnerability in the FortiGuard FortiOS.

Splunk Exploit - Indoushka published an exploit for a code injection vulnerability in the Splunk Enterprise product.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-8f7 - subscription required.

Chemical Incident Reporting – Week of 2-14-26

NOTE: See here for series background.

TWITTER: Chemical Incident Reporting – Week of 2-14-26 –

Janesville, WI – 2-12-26

Local News Report: Here, here, here, and here.

There was a steam explosion at a food processing facility. Two people were transported to a hospital with burns, one was sent onward to a burn unit. No reports yet on the amount of damages at the facility.

CSB reportable.

Alington, VT– 2-15-26

Local News Report: Here, here, here, and here.

There was a fuel tanker rollover accident with a release of fuel into a local stream. Responders dammed the stream so that the spilled fuel could be recovered. The driver received minor injuries.

Not CSB reportable, this was a transportation related incident.

Fairfield, OH – 2-17-26

Local News Report: Here, here, here, and here.

There was an explosion and fire at a food treatment facility. One worker was killed and two were transported to local hospitals. No reports yet on the amount of damages at the facility.

CSB reportable.

Toledo, OH – 2-20-26

Local News Report: Here, here, here, and here.

There was an anhydrous ammonia leak from a refrigeration system at a food processing facility. The facility was evacuated and a shelter-in-place order was put in place for the surrounding area. No injuries or damages were reported.

Not CSB reportable.

Review – Bills Introduced – 2-20-26

Yesterday, with the House meeting in pro forma session, there were 41 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7625 To direct the Comptroller General of the United States to conduct a review of the budget, resources, and capabilities of the Coast Guard as the co-Sector Risk Management Agency for the marine transportation system. McDowell, Addison P. [Rep.-R-NC-6]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing about a bill that would provide individuals tax credits for the recently vacated presidential tariffs, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-20-26 - subscription required.

Review – Public ICS Disclosures – Week of 2-14-26 – Part 1

This was a moderately busy disclosure week. For Part 1 we have bulk vendor disclosures from HPE (6). We have 12 additional vendor disclosures from Arista, Broadcom (2), B&R Automation, Dassault Systems (4), Hitachi, HP, Philips, and Sick.

Bulk Vendor Disclosures – HPE

• HPESBHF04864 rev.1 - Certain HPE SimpiVity Servers Using Certain Intel Processors, INTEL-SA-01244, 2025.2 IPU, Intel Processor Advisory, Local Denial of Service Vulnerability,

• HPESBNW04983 rev.1 - HPE Telco Service Orchestrator software, Prototype Pollution Vulnerability,

• HPESBHF04967 rev.1 - Certain HPE SimpliVity Servers Using Certain Intel Processor BIOS, INTEL-SA-01234, 2025.3 IPU, UEFI Reference Firmware Advisory., Multiple Vulnerabilities,

• HPESBNW05011 rev.1 - Telco Service Activator, Improper Input Validation,

• HPESBNW05012 rev.1 - Local Privilege Escalation Vulnerability in HPE Aruba Networking ClearPass Policy Manager (CPPM) OnGuard Software for Linux,

• HPESBNW04998 rev.1 - Prototype Pollution Vulnerability in HPE Telco Network Function Virtualization Orchestrator

Advisories

Arista Advisory - Arista published an advisory that describes an operation on a resource after expiration or release vulnerability on multiple platforms running their EOS software.

Broadcom Advisory #1 - Broadcom published an advisory that discusses an improper neutralization of a NULL byte or NUL character vulnerability in their Brocade SANnav base OS.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an out-of-bounds write vulnerability in their Brocade SANnav OVA products.

B&R Advisory - B&R published an advisory that discusses 25 vulnerabilities in their Automation Studio product.

Dassault Advisory #1 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIAvpm Web Access product.

Dassault Advisory #2 - Dassault published an advisory that describes an out-of-bounds write vulnerability in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Dassault Advisory #3 - Dassault published an advisory that describes an out-of-bounds read vulnerability in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Dassault Advisory #4 - Dassault published an advisory that describes a use of uninitialized variable in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Hitachi Advisory - Hitachi published an advisory that discusses 72 vulnerabilities in their Disk Array Systems. These are third-party (Microsoft) vulnerabilities.

HP Advisory - HP published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Samsung MultiXpress Multifunction Printers.

Philips Advisory - Philips published an advisory that discusses a Google Chrome use after free vulnerability.

Sick Advisory - Sick published an advisory that discusses two Eclipse Cyclone DDS vulnerabilities.

 

For more information on these disclosures, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-fb5 - subscription required.

Chemical Transportation Incidents – Week of 1-17-26

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

NOTE: PHMSA resumed making their database publicly searchable on February 17^th, 2026.

Incidents Summary

• Number of incidents – 387 (349 highway, 36 air, 1 rail, 1 water)

• Serious incidents – 2 (0 Bulk release, 1 evacuation, 1 injury, 0 death, 0 major artery closed, 3 fire/explosion, 42 no release)

• Largest container involved – 4,378-gcf DOT 112J340W Railcar {Liquefied Petroleum Gas} Undescribed leak.

• Largest amount spilled – 55-gal Plastic Drum {Corrosive Liquids, N.O.S.} Other container fell on plastic drum.

• Total amount reported spilled in all incidents – 676.2-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Heptanes - Clear colorless liquids with a petroleum-like odor. Flash point 25°F. Less dense than water and insoluble in water. Vapors heavier than air. (Source: CameoChemicals.NOAA.gov).

 

Short Takes – 2-20-26 – Federal Register Edition

Notice of Request for Extension of Approval of an Information Collection; Emergency Management Response System. Federal Register USDA/APHIS 60-day IUCR renewal – Summary: “When a potential foreign animal disease incident is reported, APHIS or State animal health officials dispatch a foreign animal disease veterinary diagnostician to the premises of the reported incident to conduct an investigation. The diagnostician obtains vital epidemiological data by conducting field investigations, including sample collection, and by interviewing the owner or manager of the premises being investigated. These important data, submitted electronically by the diagnostician into EMRS, include such items as the purpose of the diagnostician's visit and suspected disease, type of operation on the premises, the number and type of animals on the premises, the number of sick or dead animals on the premises, the results of physical examinations of affected animals and necropsy examinations, vaccination information on the animals in the herd or flock, biosecurity practices at the site, whether any animals were recently moved out of the herd or flock, whether any new animals were recently introduced into the herd or flock, the number and kinds of test samples taken, and detailed geographic data concerning the premises location.”

Pipeline Safety: Incident Notifications to the National Response Center. Federal Register PHMSA issuance of advisory bulletin. Summary: “PHMSA is issuing this advisory bulletin to remind operators of gas pipelines, underground natural gas storage (UNGS) facilities, and liquefied natural gas (LNG) facilities of their obligation to report incidents in accordance with PHMSA's incident reporting requirements. This advisory bulletin addresses a safety recommendation [link added] that the National Transportation Safety Board (NTSB) issued to PHMSA in response to a fatal incident that occurred on a gas distribution system in February 2018.”

Notice of Availability of the Final Tiered Environmental Assessment and Finding of No Significant Impact/Record of Decision for Updates to Airspace Closures for Additional Launch Trajectories and Starship Boca Chica Landings of the SpaceX Starship-Super Heavy Vehicle at the SpaceX Boca Chica Launch Site in Cameron County, Texas. Federal Register FAA notice of availability. Summary: “In accordance with the National Environmental Policy Act of 1969, as amended (NEPA) and FAA Order 1050.1G, FAA National Environmental Policy Act Implementing Procedures, the FAA is announcing the availability of the Final Tiered Environmental Assessment and Finding of No Significant Impact/Record of Decision for Updates to Airspace Closures for Additional Launch Trajectories and Starship Boca Chica Landings of the SpaceX Starship-Super Heavy Vehicle at the SpaceX Boca Chica Launch Site in Cameron County, Texas (Final Tiered EA and FONSI/ROD).”

Extension of Postponement of Effectiveness for Certain Provisions of Trichloroethylene (TCE); Regulation Under the Toxic Substances Control Act (TSCA). Federal Register EPA extension of postponement of effectiveness. Summary: “The Environmental Protection Agency (EPA or Agency) is extending the postponement of the effectiveness of certain regulatory provisions of the final rule entitled “Trichloroethylene (TCE); Regulation Under the Toxic Substances Control Act (TSCA)” for an additional 90 days. Specifically, this postponement applies to the conditions imposed on the uses with TSCA section 6(g) exemptions.”

OMB Declines Generic CDC Traveler Screening ICR Approval

 Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had disapproved an information collection request (ICR) from the Centers for Disease Control (CDC) on “[NCZEID] Traveler Risk Assessment and Management Activities During Disease Outbreaks”. The 60-day ICR notice was published on June 16^th, 2025. The 30-day ICR notice was published on October 2^nd, 2025.

According to the discussion in the 60-day ICR notice:

“Disease outbreaks do not occur at regular intervals, which makes it difficult to estimate how often information collection will be necessary. The purpose of this Generic ICR is to aid in CDC's responsibility to ensure the successful implementation of traveler management in an efficient and timely manner. DGMH intends use this Generic ICR in the event of a disease outbreak that would necessitate the public health assessment and/or monitoring of travelers arriving in the U.S. Although it is possible to anticipate some broad categories of information that would need to be collected, (e.g., potential exposures, symptoms, contact information, etc.), each response is unique and requires flexibility in terms of the specific information collection tool in each instance. Data collection instruments and methods must be rapidly created and implemented to direct appropriate public health action. Often specific questions will change, or new questions will evolve with each disease outbreak.”

In disapproving the proposed generic ICR, OIRA explained:

“Generics are generally voluntary, low-burden (based on a consideration of total burden, total respondents, or burden per respondent), and uncontroversial, thus the collections proposed do not seem appropriate for a generic clearance. CDC is welcome to continue to seek emergency clearance as needed during disease outbreaks.”

I suspect that the disapproval of this ICR is more a response to the problems associated with the management of the COVID epidemic than purely a purely ICR program management decision. While the COVID response should inform a more effective response to the next pandemic, this programmatic response from OIRA rejects that intent.