Review - Public ICS Disclosures – Week of May 30th, 2026 – Part 2

For Part 2 we have seven additional vendor disclosures from Siemens, Supermicro, TP-Link (4), and Zyxel. There are also three vendor updates from HP (2) and Westermo. Finally, we have two exploits for vulnerabilities in products from Palo Alto Networks. 

Advisories  

Siemens Advisory - Siemens published an advisory that discusses 77 vulnerabilities in their RUGGEDCOM RST2428P (SINEC OS) product. 

Supermicro Advisory - Supermicro published an advisory that describes an OS command injection vulnerability in multiple Supermicro products. 

TP-Link Advisory #1 - TP-Link published an advisory that describes five vulnerabilities in their Tapo C520WS cameras. 

TP-Link Advisory #2 - TP-Link published an advisory that describes an improper input validation vulnerability in their Tapo C520WS cameras. 

TP-Link Advisory #3 - TP-Link published an advisory that describes a stack-based buffer overflow vulnerability in their Tapo C200 cameras. 

TP-Link Advisory #4 - TP-Link published an advisory that describes a cross-site scripting vulnerability in their TL-SG108PE smart switch. 

Zyxel Advisory - Zyxel published an advisory that describes two classic buffer overflow vulnerabilities in multiple Zyxel wireless network products. 

Updates  

HP Update #1 - HP published an update for their Intel Graphics advisory that was originally published on September 22nd, 2025, and most recently updated on March 16th, 2026. 

HP Update #2 - HP published an update for their NVIDIA GPU Display Driver advisory that was originally published on October 30th, 2025, and most recently updated on December 12th, 2025. 

Westermo Update - Westermo published an update for their Viper 3000 Bootloader advisory that was originally published on March 31st, 2026. 

Exploits  

Palo Alto Networks Exploit #1 - Ashraf Zaryouh published an exploit for a reliance on cookies without validation and integrity checking vulnerability in Palo Alto Networks PAN-OS software. 

Palo Alto Networks Exploit #2 - Tushar Gurav published an exploit for a reliance on cookies without validation and integrity checking vulnerability in Palo Alto Networks PAN-OS software. 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-may-d94 - subscription required. 

Short Takes – 6-6-26 - Federal Register Edition

Alternative Electronic Submission of PCB Annual Reports. Federal Register EPA notice. Summary: “The Environmental Protection Agency (EPA or the Agency), Office of Resource Conservation and Recovery (ORCR), Polychlorinated Biphenyl's (PCBs) Program is announcing that PCB Annual Reports can be submitted via EPA's Resource Conservation and Recovery Act (RCRA) Info System (“RCRAInfo” [link added]). The Agency is moving towards all-electronic reporting to improve simplicity, cost-effectiveness, and efficiency.” 

Safety Zone; Hurricanes, Tropical Storms, and Severe Weather Events in the Sector Mobile Captain of the Port Zone. Federal Register CG notice of proposed rulemaking. Summary: “The Coast Guard is proposing to establish a safety zone in the navigable waters within the Sector Mobile Captain of the Port (COTP) zone, to be enforced in the event of hurricanes, tropical storms, and other severe weather events. This regulation establishes requirements for industry and vessel operators in the Mobile COTP zone, to ensure the safety of the safety of the ports and waters within the zone prior to, during and immediately following these events.” 

Agency Information Collection Activities; Comment Request; Presidential Cybersecurity Education Award. Federal Register Education Department 60-day information collection request reinstatement notice. Summary: “The Executive Order on America's Cybersecurity Workforce (Executive Order 13870), signed on May 2, 2019, included a directive for the Secretary of Education, in consultation with the DAPHSCT and the National Science Foundation, to develop and implement an annual Presidential Cybersecurity Education Award to be presented to one elementary and one secondary school educator per year who best instill skills, knowledge, and passion with respect to cybersecurity and cybersecurity-related subjects. This information collection request supports this executive order.” 

EO 14409 - Promoting Advanced Artificial Intelligence Innovation and Security. Federal Register. 

EPA Sends NPDES NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the EPA on “Updates to the National Pollutant Discharge Elimination System Definitions and Exclusions”. 

This rulemaking was not listed in the Spring 2025 Unified Agenda, so the planned scope of this rulemaking is not readily available. I would assume, however, that this NPRM is part of the Administration’s deregulatory agenda. 

I would not expect to cover this rule in any detail, but at a minimum I will be mentioning the publication of the NPRM in the appropriate Short Takes post. 

Review – Public ICS Disclosures – Week of May 30th, 2026 – Part 1

This week we have a moderately busy disclosure week. For Part 1 there are 12 vendor disclosures from Arista, Dassault Sytems (2), D-Link, Eaton, HP, HPE (2), MBS, NI, Phillips, and Phoenix Contact. 

Advisories  

Arista Advisory - Arista published an advisory that discusses an improper restriction of operations within the bounds of a memory buffer vulnerability (with publicly available exploit) in their EOS platform products. 

Dassault Advisory #1 - Dassault published an advisory that describes a cross-site scripting vulnerabbility in their Process Experience Studio in DELMIA Service Process Engineer. 

Dassault Advisory #2 - Dassault published an advisory that describes a deserialization of untrusted data vulnerability in their Teamwork Cloud from No Magic product. 

D-Link Advisory - D-Link published an advisory that describes a use of weak credentials vulnerability in their DWR-X1820 router. 

Eaton Advisory - Eaton published an advisory that discusses a TOCTOU race condition vulnerabiltiy in their ProView NXG application software. 

HP Advisory - HP published an advisory that describes a stack-based buffer overflow vulnerability (with publicly available exploit) in their Poly Voice products. 

HPE Advisory #1 - HPE published an advisory that discusses ten vulnerabilities (four with publicly available exploits) in their Telco Network Function Virtualization Orchestrator. 

HPE Advisory #2 - HPE published an advisory that discusses a TOCTOU race condition vulnerability in their ArubaOS-CX Switches. 

MBS Advisory - CERT-VDE published an advisory that describes 11 vulnerabilities in the MBS Universal Gateways (UGW-A-Series, UGW-X-Series) used in multiple MBS products.3 

NI Advisory - NI published an advisory that describes two vulnerabilities in their NI-PAL product. 

Philips Advisory - Philips published an advisory that discusses the Windows’ BlueHammer, RedSun, and UnDefend vulnerabilities. 

Phoenix Contact Advisory - Phoenix Contact published an advisory that describs an exposure of sensitive information to an unauthorized actor vulnerability in their CHARX SEC-3150 product. 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-may - subscription required.