Short Takes – 2-14-26 – Federal Register Edition

Notice of Intent To Grant an Exclusive, Co-Exclusive or Partially Exclusive Patent License. Federal Register NASA notice of intent to grant patent license. Summary: “NASA intends to grant an exclusive, co-exclusive, or partially exclusive patent license in the United States to practice the inventions described and claimed in: U.S. Patent Nos. 8,593,153 entitled “Method of Fault Detection and Rerouting,” issued on November 26, 2013, and 8,810,255 entitled “In-Situ Wire Damage Detection System,” issued on August 19, 2014, to Sun City Smart Technology Solutions, Inc., having its principal place of business in El Paso, Texas. The fields of use may be limited. NASA has not yet made a final determination to grant the requested license and may deny the requested license even if no objections are submitted within the comment period.”

Notice Hazardous Materials: Notice of Actions on Special Permits. Federal Register notice of actions on special permit applications. Summary: “In accordance with the procedures governing the application for, and the processing of, special permits from the Department of Transportation's Hazardous Material Regulations, notice is hereby given that the Office of Hazardous Materials Safety has granted or denied the application described herein.”

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Rulemaking; Town Hall Meetings. Federal Register CISA meeting notice. Summary: “This notice announces town hall meetings to allow external stakeholders a limited additional opportunity to provide input on refining the scope and burden of the CIRCIA Notice of Proposed Rulemaking (NPRM) issued in the Federal Register on April 4, 2024. The proposed CIRCIA rulemaking seeks to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022, as amended, by implementing covered cyber incident and ransom payment reporting requirements for covered entities.”

EO 14386 - Strengthening United States National Defense With America's Beautiful Clean Coal Power Generation Fleet. Federal Register.

Chemical Incident Reporting – Week of 2-7-26

NOTE: See here for series background.

HOCKLEY, TX– 2-7-26

Local News Report: Here and here.

There was a release of methyl mercaptan fumes from a rail car cleaning facility that caused the evacuation of a nearby school. Two students were transported to a local hospital but they treated and released. There were no physical damages related to this incident.

Not CSB reportable.

Methyl mercaptan is the chemical added in very low concentrations to natural gas and propane as an odorant to aid in detection of gas leaks of those two chemicals. VERY low concentrations in the air produce a detectable and objectionable odor.

I would like to suggest that CSB update their accidental release reporting regulations to add any release that results in the evacuation of a school or medical facility should be a reportable incident under those regulations.

Santa Rosa Beach, FL – 2-11-26

Local News Report: Here, here, and here.

There was an unidentified chemical spill from an unknown vehicle on a public road that released visible fumes. The roadway was blocked and hazmat crews cleaned up the spill. No injuries were reported.

Not CSB reportable, this was a transportation related incident.

This article raised an interesting list of questions about the response to this incident.

Midwest City, OK – 2-12-26

Local News Report: Here and here.

There was a cleaning chemical mixing incident at a food processing facility that resulted in the release of chlorine gas. The 50-gallon drum where the mixing took place was capped and the building was aired out. No injuries were reported and there were no damages related to the incident.

Not CSB reportable.

FCC Sends Satellite Broadband NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the Federal Communications Commission (FCC) on “Modernizing Spectrum Sharing for Satellite Broadband (SB Docket No. 25-157 [link added])”. This rulemaking was not listed in the Spring 2025 Unified Agenda. 

SB Docket 25-157 was opened on April 7^th, 2025. The FCC published a notice of proposed rulemaking for that docket on April 29^th, 2025. It is not clear what relationship exists between that NPRM and the one announced by OIRA yesterday.

I am posting this as part of my limited Space Geek coverage, and do not expect to cover this rulemaking in any detail beyond announcements of OIRA actions and mentions in the appropriate Short Takes posts for Federal Register notices.

Review – Public ICS Disclosures – Week of 2-7-26 – Part 1

This is a relatively busy disclosure week for the week of Cyber Tuesday. We have 43 bulk vendor disclosures from FortiGuard (6), Hitachi (8), HP (8), HPE (14), QNAP (7). We also have 10 bulk updates from Siemens (10). There are also seven other vendor disclosures from Bosch, Meinberg, Pheonix Contact, Schneider (2), and Siemens (2).

Bulk Disclosures – FortiGuard

• Firewall policy bypass in FSSO Terminal Services Agent,

• Format String Vulnerability in CAPWAP fast-failover mode,

• LDAP authentication bypass in Agentless VPN and FSSO,

• Request smuggling attack in FortiOS GUI,

• SSL-VPN Symlink Persistence Patch Bypass, and

• XSS via back button.

Bulk Disclosures – Hitachi

• Multiple Vulnerabilities in Cosminexus HTTP Server,

• Vulnerability in Cosminexus HTTP Server,

• Vulnerability in Cosminexus HTTP Server and Hitachi Web Server,

• Multiple Vulnerabilities in Cosminexus HTTP Server and Hitachi Web Server,

• Multiple Vulnerabilities in Cosminexus,

• Multiple Vulnerabilities in JP1,

• Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center, and

• Multiple Vulnerabilities in Hitachi Command Suite products

Bulk Disclosures – HP

• HP App – Potential Cross-Site Scripting,

• AMD Graphics Driver February 2026 Security Update,

• AMD Processors February 2026 Security Update,

• Certain HP OfficeJet Pro Printers – Denial of Service,

• Intel Chipset Firmware February 2026 Security Update,

• Intel Processor Firmware February 2026 Security Update,

• Certain HP OfficeJet Pro Printers - Information Disclosure, and

• Intel Graphics Software February 2026 Security Update.

Bulk Disclosures – HPE

• Certain HPE ProLiant Servers Using Certain Intel Processor BIOS, INTEL-SA-01406, Intel Quick Assist Technology (Intel QAT) Advisory, Multiple vulnerabilities,

• Certain HPE SimpliVity Servers Using Certain Intel Processors, INTEL-SA-01313, 2025.3 IPU, Intel Xeon Processor Firmware Advisory, Multiple Vulnerabilities,

• Certain HPE SimpliVity Servers Using Certain Intel Processors, INTEL-SA-01280, 2025.3 IPU, Intel Chipset Firmware Advisory, Multiple Vulnerabilities,

• Certain HPE SimpliVity Servers Using Certain Intel Processors, INTEL-SA-01312, Intel TDX Module Advisory, Multiple Vulnerabilities,

• Certain HPE StoreEasy Servers Using Certain Intel Processors, INTEL-SA-01396, 2026.1 IPU, Intel Processor Firmware Advisory, Local Escalation of Privilege Vulnerability,

• Certain HPE ProLiant DL/ML/XD, Synergy, Edgeline and Alletra Servers Using Certain Intel Processors, INTEL-SA-01314, 2025.4 IPU, Intel TDX Module Advisory, Local Escalation of Privilege Vulnerability,

• Certain HPE ProLiant DL/ML/XD, Synergy, Edgeline, and Alletra Servers Using Certain Intel • Processors, INTEL-SA-01397, 2026.1 IPU, Intel Trust Domain Extensions (Intel TDX) module Advisory, Multiple Vulnerabilities,

• Certain HPE ProLiant DL/ML/XD, Synergy, and Alletra Servers Using Certain Intel Processors, INTEL-SA-01401, UPLR1 - Intel Server Firmware Advisory, Local Denial of Service Vulnerability,

• HPE Aruba Networking EdgeConnect SD-WAN Orchestrator, Multiple Vulnerabilities,

• Certain HPE ProLiant AMD DL/XL Servers Using Certain AMD EPYC Processors, AMD-SB-3023:AMD Server Vulnerabilities, Multiple Vulnerabilities,

• HPE Intel E810 Series Ethernet Controllers, INTEL-SA-01171, Intel Ethernet Adapters 800 Series Advisory, Denial of Service Vulnerability,

• Certain HPE StoreEasy Servers Using Certain Intel Processors, INTEL-SA-01314, 2025.4 IPU, Intel TDX Module Advisory, Local Escalation of Privilege Vulnerability,

• Certain HPE StoreEasy Servers Using Certain Intel Processors, INTEL-SA-01397, 2026.1 IPU, Intel Trust Domain Extensions (Intel TDX) module Advisory, Multiple Vulnerabilities, and

• Multiple Vulnerabilities in HPE Aruba Networking Private 5G Core.

Bulk Disclosures – QNAP

• Multiple Vulnerabilities in Media Streaming add-on,

• Multiple Vulnerabilities in Qsync Central,

• Multiple Vulnerabilities in File Station 5,

• Vulnerabilities in Apache,

• Multiple Vulnerabilities in QTS and QuTS hero, 

• Multiple Vulnerabilities in QuTS hero, and

• Vulnerabilities in Samba.

Bulk Updates – Siemens

• Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.1,

• Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.2,

• Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 Devices,

• Denial-of-Service Vulnerability in ET 200 Devices,

• Multiple Vulnerabilities in SiPass integrated,

• Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices,

• DLL Hijacking Vulnerability in Siemens Web Installer used by the Online Software Delivery,

• Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1,

• Vulnerabilities in EFI variable of SIMATIC IPCs, SIMATIC Tablet PCs, and SIMATIC Field PGs, and

• Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.5.

Advisories

Bosch Advisory - Bosch published an advisory that describes four deserialization of untrusted data vulnerabilities in their Rexroth IndraWorks product.

Meinberg Advisory - Meinberg published an advisory that discusses 21 vulnerabilities in their LANTIME product.

Pheonix Contact Advisory - Pheonix Contact published an advisory that discusses an improperly controlled sequential memory allocation vulnerability in their mGuard products.

Schneider Advisory #1 - Schneider published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their SCADAPack and Remote Connect products.

Schneider Advisory #2 - Schneider published an advisory that describes two vulnerabilities in their EcoStruxureTM Building Operation Workstation and EcoStruxureTM Building Operation Webstation products.

Siemens Advisory #1 - Siemens published an advisory that describes six vulnerabilities in their Simcenter Femap and Nastran products.

Siemens Advisory #2 - Siemens published a bulletin that describes an absence of anti-tamper protections and modern exploit mitigation controls in the SIPORT Desktop Client Application.

 

For more information on these disclosures, including links to 3^rd party advisories, and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-fdd - subscription required.

Review – Bills Introduced – 2-13-26

Yesterday, with both the House and Senate in Washington (and preparing to go on a 1 week period of working from home), there were 99 bills introduced. Two of those bills will receive additional coverage here.

HR 7525 To authorize counter-unmanned aircraft system authorities for State, local, territorial, and tribal law enforcement, and for other purposes. Burlison, Eric [Rep.-R-MO-7]

HR 7552 To amend the Chemical and Biological Weapons Control and Warfare Elimination Act of 1991 to impose sanctions on foreign countries in response to acts concerning chemical or biological programs that cause injury to other foreign countries, and for other purposes. Moore, Barry [Rep.-R-AL-1]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-13-26 - subscription required.

Chemical Transportation Incidents – Week of 1-10-26

It has now been two months since DOT’s Pipeline and Hazardous Materials Safety Administration had posted the following notice on its Incident Statistics web page:

HazmatIncidentReportSearchTool
The ability to download pdf copies of incident filings or download complete datasets of the search results has been temporarily disabled. If you need pdf copies of incidents or relevant search criteria, please email relevant incident numbers to HMRequests@dot.gov.

This appears to have gone completely beyond any possibility of technical problems with the database. It looks like it is part and parcel of the attempts of the current administration’s ongoing efforts to reduce public access to information collected by the federal government.

The information in this database is safety information that should be readily available (and ‘readily’ specifically means searchable) to the public. PHMSA needs to restore public access to this information.

OMB Approves CISA CVD Program ICR – 2-12-26

Yesterday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a new information collection request (ICR) from CISA on “CISA Coordinated Vulnerability Disclosure (CVD) Platform”. The 60-day ICR notice was published on October 30^th, 2024. The 30-day ICR notice was published on August 20^th, 2025.

The Supporting Document CISA submitted to OIRA as part of this ICR approval process noted that:

“CISA is also authorized to carry out these Coordinated Vulnerability Disclosure (CVD) functions by 6 U.S.C. 659(n) on Coordinated Vulnerability Disclosure, which authorizes CISA to in coordination with industry and other stakeholders, may develop and adhere to DHS policies and procedures for coordinating vulnerability disclosures.”

It also notes that:

“The intent of this form is to allow the public to provide information for exploited vulnerabilities that are not in the CISA Coordinated Vulnerability Disclosure (CVD) system. The submitted information will be evaluated by CISA and if CVD requirements are met, then the vulnerability would be CVD eligible. By expanding CVD, those who are required, and those who utilize the CVD system, are alerted to new additions. This allows for greater knowledge and visibility of exploited vulnerabilities and allows for enhanced vulnerability management.”

The table below shows the approved burden estimate for the ICR.

 

This ICR approves the use of two online information collections:

VINCE.pdf, and

CERT Vulnerability Notes Database.pdf

NOTE: The ICR Information Collection page list does not provide links to the ICs. Both of these pages are part of the Carnegie Mellon University, Software Engineering Institute, vulnerability reporting site.