Hologic CVE Partner Notice –5-19-26

Today, CISA announced on X the latest addition to their CVE Partner program, Hologic, Inc. Typically, such partners become CVE Numbering Authorities (CNA) under CISA’s root authority, and this was the case with Hologic’s breast and skeletal products. Typically, I watch these notices so that I can find the link to vendor’s cybersecurity advisories (here for Hologic) for the purpose of populating my ICS Public Disclosure posts. 

I do not typically report on these announcements as they generally have little practical effect on day-to-day cybersecurity operations. For instance, in Hologic’s case, their latest cybersecurity advisory was published in 2020, as was their latest cybersecurity best practices document. 

I wanted to discuss the Hologic announcement because of two other items that were listed on their cybersecurity landing page: 

• Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms, and 

• Microsoft Patches validated for installation on Hologic Breast and Skeletal Health systems. 

The first may be important to some users, but the second should be of interest to all. Hollogic has taken each of the latest Windows' updates from and applied them to computers upon which the various Hologic medical devices have also been installed. Then the systems we tested to ensure that the MS updates did not interfere with the safe operation of the medical devices. 

System owners should still test updates on their own systems before using the devices with live patients, but the Hologic testing should greatly reduce the number of issues discovered. 

I have only seen this testing information on a couple of other vendor web sites; BD comes to mind, and I know Siemens used to do this (they may still; it has been a while since I have taken a deep dive on the extensive Siemens web sites). So, when I see it, I try to call attention to it as an effort to encourage other vendors to do the same. 

Short Takes – 5-19-26 - Federal Register Edition

 Pipeline Safety: Meeting of the Gas Pipeline Advisory Committee. Federal Register PHMSA advisory committee meeting notice. Summary: “This notice announces a public meeting of the Technical Pipeline Safety Standards Committee, also known as the Gas Pipeline Advisory Committee (GPAC), to discuss the notice of proposed rulemaking (NPRM), titled ‘Safety of Gas Distribution Pipelines and Other Pipeline Safety Initiatives.’” 

Hazard Communication Standard; Notice of Public Meeting. Federal Register OSHA public meeting notice. Summary: “This notice is to advise interested persons that OSHA will conduct two virtual public meetings in 2026 to address the United States Government positions on documents submitted for the sessions of the United Nations Sub-Committee of Experts on the Globally Harmonized System of Classification and Labelling of Chemicals (UNSCEGHS), each virtual meeting in advance of the in-person sessions of the UNSCEGHS.” 

Modified Low Size and Weight High-Power Microwave Effector for Non-Compliant Vessel and Counter Uncrewed Surface Vessel Operations. Federal Register CG notice of intent. Summary: “The Coast Guard is announcing its intent to enter into a Cooperative Research and Development Agreement (CRADA) with Lockheed Martin Corporation to develop a small size, low weight, high-power microwave (HPM) effector for stopping non-compliant vessels (NCV), to include personal watercraft (PWC), and small uncrewed surface vessels (USV). The Coast Guard is seeking public comment on this proposed partnership and potential involvement from other parties. In addition, the Coast Guard also invites other potential non-Federal participants, who have the interest and capability to bring similar contributions to this type of research, to consider submitting proposals for consideration in similar CRADAs.” 

Review – 5 Advisories and 2 Updates Published – 5-19-26

Today CISA’s NCCIC-ICS published five control system security advisories for products from  Kieback & Peter, ZKTeco, ScadaBR, Siemens, and ABB. They also published updates for products from ABB. 

Advisories  

Kieback & Peter Advisory - This advisory discusses a code injection vulnerability in the Kieback & Peter DDC Building Controllers. 

ZKTeco Advisory - This advisory describes an authentication bypass using an alternate path or channel vulnerability in the ZKTeco SSC335-GC2063-Face-0b77 CCTV cameras. 

ScadaBR Advisory - This advisory describes four vulnerabilities in ScadaBR 1.2.0. 

Siemens Advisory - This advisory discusses an out-of-bounds write vulnerability in the Siemens RUGGEDCOM APE1808 Devices.  

NOTE: I briefly discussed the Siemens advisory on Saturday. 

ABB Advisory - This advisory describes a path traversal vulnerability in the ABB CoreSense HM and CoreSense M10 products. 

NOTE: I most recently discussed the ABB advisory on October 25th, 2025. 

Updates  

ABB Update #1 - This update provides additional information for the 800xA Base advisory that was originally published on June 25th, 2025. 

NOTE: I most recently discussed the ABB advisory on January 25th, 2026. 

ABB Update #2 - This update provides additional information for the RMC-100 advisory that was originally published on July 15th, 2025. 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published-67b - subscription required. 

Review - DHS CWMD Office to Close

Read an interesting post over on LinkedIn last week about changes in the DHS Office of Countering Weapons of Mass Destruction. Diana Tucker, who had been the Program Training Manager for CWMD, reported that her group had been transferred to FEMA. That led me on an interesting information chase to changes directed by Congress as part of the recent passage of HR 7147, the FY 2026 DHS spending bill. The DHS Office of CWMD no longer exists; its function, funding, and personnel have been dispersed within DHS. A civil service coordinator will oversee the CWMD efforts. Commentary  

By US Code {§591(b)}, the Office of Countering Weapons of Mass Destruction was headed by an Assistant Secretary. That lent a certain amount of gravitas to the Office and its efforts. Parceling those efforts out to various other entities within DHS, and replacing the Assistant Secretary with a CWMD Coordinator, will significantly reduce the influence of CWMD efforts in the Department. 

Having said that, some of the program-dispersal efforts certainly make sense. Adding the radiation portal equipment and personnel to the CBP mission certainly falls into this category. And since FEMA already conducts and administers much of the Department’s training, moving the CWMD training to that agency would potentially seem to be both operationally and financially effective. 

At this point it would seem to be clear that Congress needs to rewrite §591, both to formalize the current reorganization, as well as to set out the congressional guidance on what the Department needs to accomplish with their coordinated CWMD efforts. At the very least, there should be oversight hearings to ensure that the intent of the HR 7147 reorganization is being appropriately executed. 

For more detailed information on how the OCWMD was closed, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/dhs-cwmd-office-to-close - subscription required.