Review – S 3032 Introduced – cUAS Authority Extension

Earlier this month Sen Peters (D,MI) introduced S 3032, the Counter-UAS Authority Extension Act. This bill simply changes the expiration date of 6 USC 124n the Protection of certain facilities and assets from unmanned aircraft, from September 30^th, 2025, to September 30^th, 2028. No new funding is authorized by this bill.

This bill is essentially the same as to S 5639, the Counter-UAS Authority Extension Act, that was introduced by Peters in December 2024. It was introduced and then passed in the Senate by unanimous consent on the same day. No action was taken in the House on the bill in the 188^th Congress. An extension of the cUAS authority until March 14^th, 2025, was included in §5102 of PL 118-158, the American Relief Act, 2025, that was passed on the same day. The subsequent spending bill extended that date to September 30th, 2025.

Moving Forward

In an unusual move, this bill was not assigned to any committee for consideration. Instead, it was ‘read for the second time and placed on Senate Legislative Calendar under General Orders’ on the day it was introduced. This means that it could again be offered for consideration under the Senate’s unanimous consent procedure at any time.

 

For more information on this bill, including a brief commentary on the lack of committee assignment, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3032-introduced-cuas-authority - subscription required.

Transportation Chemical Incidents – Week of 9-27-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 469 (433 highway, 34 air, 2 rail, 0 water)

• Serious incidents – 4 (3 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 1 fire/explosion, 46 no release)

• Largest container involved – 23,912-gal DOT 111A100W1 Railcar {Elevated Temperature Liquid, N.O.S., At Or Above 100 C And Below Its Flash Point (Including Molten Metals, Molten Salts, Etc.)} Manway gasket missing.

• Largest amount spilled – 275-gal Plastic box {Corrosive Liquid, N.O.S.} Load not blocked/chocked, container crushed in transit.

• Total amount reported spilled in all incidents – 1512.8-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Calcium Peroxide: A grayish white granular material. Used in baking, in medicine, in bleaching oils. CALCIUM PEROXIDE is an explosion hazard if mixed with finely divided organic matter. Noncombustible but accelerates the burning of combustible material: mixtures of combustible material and the peroxide can be ignited by friction or contact with moisture. Mixtures with polysulfide polymers may ignite. Decomposes rapidly above 200°C. Strongly basic. (Source: CameoChemicals.NOAA.gov).

 

CISA Added VMware Vulnerability to KEV – 10-30-25

Yesterday CISA announced that it had added a privilege defined with unsafe actions vulnerability in the VMware Aria Operations and VMware Tools products to the CISA Known Exploited Vulnerabilities (KEV) catalog. Broadcom previously disclosed the vulnerability on September 29^th, 2025 and yesterday updated their advisory to report exploits in the wild. NVISO Labs reported on the initial vulnerability disclosure and included proof-of-concept code in that report.

CISA has ordered all federal agencies using the affected VMware products to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” The deadline for completing those actions is November 20^th, 2025.

Short Takes – 10-31-25

Humanoid robots could lift 4,000 times their own weight thanks to breakthrough 'artificial muscle'. LiveScience.com article. Pull quote: “"This research overcomes the fundamental limitation where traditional artificial muscles are either highly stretchable but weak or strong but stiff," lead study author Hoon Eui Jeong, a professor of mechanical engineering at the Ulsan National Institute of Science and Technology (UNIST), said in a statement. "Our composite material can do both, opening the door to more versatile soft robots, wearable devices, and intuitive human-machine interfaces."” But will the skeleton support that amount of weight?

This ‘impressive’ AI model predicted Hurricane Melissa’s perilous growth. Nature.com article. Pull quote: “Still, the DeepMind team cautions against reading too much into the predictions of a single storm: “We are happy to have been able to contribute useful guidance to NHC, but we caution against representing the model’s capabilities based on a single case or metric,” says Ferran Alet, a research scientist at DeepMind.”

It’s never been easier to be a conspiracy theorist. TechnologyReview.com article. Pull quote: “But Hofstadter’s concept of the paranoid style remains useful—and ever relevant—because it also describes a way of reading the world. As he put it, “The distinguishing thing about the paranoid style is not that its exponents see conspiracies or plots here or there in history, but they regard a ‘vast’ or ‘gigantic’ conspiracy as the motive force in historical events. History is a conspiracy, set in motion by demonic forces of almost transcendent power, and what is felt to be needed to defeat it is not the usual methods of political give-and-take, but an all-out crusade.”” Part of a new TR series of articles.

Man finally released a month after absurd arrest for reposting Trump meme. ArsTechnica.com article. Pull quote: “Chris Eargle, who started the “Free Larry Bushart” Facebook group, told The Intercept that Weems’ story justifying the arrest made no sense. Instead, it seemed like the sheriff’s actions were politically motivated, Eargle suggested, intended to silence people like Bushart with a show of force demonstrating that “if you say something I don’t like, and you don’t take it down, now you’re going to be in trouble.””

Former CDC official on new mpox cases and current federal resources. TheHill.com article. Pull quote: “We won’t have that coordination to say, hey, there’s expiring doses coming out of the National Strategic Stockpile. Does anybody want these? And so, we will still have a bunch of people who need access to vaccines who will not be able to get them because they’ll not be able to afford them. We have people who will not get messaging that they should have gotten. ”

Space-Geek Backlog List

This is linked-list of articles that have been accumulating in my reading list over the last couple of weeks, still more to come in future issues:

• Innospace gets license for first orbital launch attempt,

• Something from “space” may have just struck a United Airlines flight over Utah,

• How NASA, SpaceX and America can still win the race to the moon,

• Duffy says NASA will open Artemis 3 lander contract to competition, and

• Samara Aerospace pointing technology to be tested in orbit.

Review – 2 Advisories Published – 10-30-25

Today CISA’s NCCIC-ICS published two control system security advisories for products from Hitachi Energy and International Standards Association (ISO 15118-2).

Advisories

Hitachi Energy Advisory - This advisory describes three vulnerabilities in the Hitachi Energy TropOS 4^th Gen wireless devices.

ISO Advisory - This advisory describes an improper restriction of communication channel to intended endpoint vulnerability in the ISO 15118 standard: Part 15118-2 Network and Application Protocol Requirements.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-10-30-25 - subscription required.

Review – S 2938 Introduced – Advanced AI Evaluation

Last month Sen Hawley (R,MO) introduced S 2938, the Artificial Intelligence Risk Evaluation Act of 2025. The bill would require DOE to establish an Advanced Artificial Intelligence Evaluation Program, and each year submit to Congress a detailed recommendation for Federal oversight of advanced artificial intelligence systems. No new funding is provided in the bill.

Commentary

This bill does not actually allow for DOE to conduct regulatory oversight of covered advanced AI system developers or systems, but the requirement for information provision to DOE with the accompanying penalty for noncompliance makes this a de facto regulatory scheme, that would be certain to morph into an active regulatory effort. This is especially important because there is no language in the bill that would prohibit DOE regulatory efforts. More importantly, there is no language that would limit DOE from sharing the information either on its own initiative or under provisions of the Freedom of Information Act.

 

For more information on the provisions of this bill, including commentary on the selection of DOE as the action agency, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2938-introduced-advanced-ai-evaluation - subscription required.

Review - Bills Introduced – 10-28-25

Yesterday, with just the Senate in Washington, and the House meeting in proforma session, there were 56 bills introduced. Three of those bills will receive additional coverage in this blog:

HR 5857 FARM Act Perez, Marie Gluesenkamp [Rep.-D-WA-3]

HR 5868 To amend the Safe Drinking Water Act to provide grants under the Drinking Water Infrastructure Risk and Resilience Program for training programs relating to protecting public water systems from and responding to cyberattacks, and for other purposes. Wilson, Frederica S. [Rep.-D-FL-24]

S 3068 A bill to require original equipment manufacturers to make available certain documentation, parts, software, and tools with respect to farm equipment, and for other purposes. Welch, Peter [Sen.-D-VT] 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-10-28-25 - subscription required.

Short Takes – 10-29-25 – Space Geek Edition

Rising demand and falling costs clear path for satellite servicing. SpaceNews.com article. Pull quote: “Starfish Space raised $29 million in 2024 to develop autonomous vehicles for life-extension in geostationary orbit and removing debris from low-Earth orbit. Starfish is developing “the lowest cost satellite-servicing architecture that we possibly can, so we can open up the aperture to a larger quantity of clients,” Vidal said.”

ESA's lunar lander on a simulated moon. Space.com article. Pull quote: “Argonaut is ESA's dedicated lunar lander program, Europe's planned autonomous, versatile and reliable transport system to the moon. The Argonaut will deliver up to 1.6 tons (1.5 tonnes) of cargo to virtually any location on the lunar surface.”

Could we blast space debris out of harm's way with ion beams? Space.com article. Pull quote: “"By avoiding the risks inherent in capture or docking, the [ALBATOR] project aims to provide a safer and more versatile solution to one of the greatest challenges facing space sustainability: the proliferation of debris in Earth's orbit," NorthStar officials stated in a release last month highlighting their participation.”

'The solar system on demand': HEO Robotics aims to push spacecraft imaging deep into the final frontier. Space.com article. Pull quote: “Notably, Astroscale has performed a fly-around of a spent rocket stage in orbit, as part of its plans to start deorbiting pieces of space junk. HEO can help with such operations, Crowe explained. "It's just good practice to have outside eyes looking in. Issues can happen to a sensor on board, but also you can get a different perspective." The agreement between HEO and Astroscale also covers extending cooperation into GEO and geostationary transfer orbits.”

Space sustainability comes down to Earth. TheSpaceReview.com article.  Pull quote: “The [UK Space] agency commissioned several studies to explore those impacts, which were recently completed and discussed at a workshop the day before the main summit. They did not necessarily alleviate much of the uncertainty on the topic. One was a study of literature on atmospheric chemistry relevant to the topic. “Broadly, the conclusions were that we really don’t know anything,” he said. “We really don’t know much about what the atmospheric impact is of reentry.””

Backlog List

This is linked-list of article that have been accumulating in my reading list over the last couple of weeks, still more to come in future issues:

• SpaceX finally got exactly what it needed from Starship V2,

• Space Pioneer raises $350 million as China’s commercial launch boom accelerates,

• Strange 'puffy' alien world breaks every rule for how planets should behave,  

• Hans Koenigsmann, who investigated all of SpaceX’s rocket failures, is going to space, and

• First Ariane 64 launch slips to 2026.

Review – 2 Advisories and 1 Update Published – 10-28-25

Today CISA’s NCCIC-ICS published one control system and one medical device security advisory for products from Schneider and Vertikal Systems. They also updated an advisory for products from Schneider.

Advisories

Schneider Advisory - This advisory describes an allocation of resources without limit or throttling vulnerability in the Schneider EcoStruxure OPC UA Server Expert and EcoStruxure Modicon Communication Server.

NOTE: I briefly discussed this vulnerability on October 19^th, 2025.

Vertikal Advisory - This advisory describes two vulnerabilities in the Vertikal Hospital Manager Backend Services.

Updates

Schneider Update - This update provides additional information on the Modicon advisory that was originally published on December 17^th, 2024, and most recently updated on March 18^th, 2025.

NOTE: I briefly mentioned the Schneider update on October 19^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-bb7 - subscription required.

CISA Adds 2 Dassault Systèmes Vulnerabilities to KEV – 10-28-25

Today CISA announced that it had added two vulnerabilities to their Known Exploited Vulnerabilities catalog for vulnerabilities in the Dassault Systèmes DELMIA Apriso manufacturing operations management software. The two vulnerabilities are:

Code injection - CVE-2025-6204, and

Missing authorization - CVE-2025-6205

Dassault published advisories for the vulnerabilities on August 4^th, 2025. The vulnerabilities were reported to Dassault by Rahul Maini and Harsh Jaiswal via ProjectDiscovery.io, the report contains proof-of-concept code.

CISA has ordered federal agencies to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. They provided a deadline of November 18^th, 2025 to accomplish these actions.

Review - S 2971 Introduced – Gas Transportation Definition

Earlier this month Sen Sheehy (R,WY) introduced S 2971, the Plant Safety Authorities Coordination Act of 2025. This bill would modify the current definition of the term ‘transporting gas’ in 49 USC 60101. The bill would remove from the definition ‘in-plant piping systems'. No new spending is authorized.

Moving Forward

Sheehy is a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in committee. I expect that there would be some level of bipartisan support for this bill, though there may be some environmental opposition. This bill is not politically important enough to be considered by the Senate under regular order, and the environmental opposition would almost certainly stop consideration under the Senate’s unanimous consent process.

                        

For more details about the provisions of this bill, including a commentary on the lack of apparent need, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2971-introduced-gas-transportation - subscription required.

Short Takes – 10-28-25

With Melissa, 2025 Becomes Only the Second Season with More Than Two Category 5 Hurricanes. ScientificAmerican.com article. Pull quote: “Category 5 storms are rare—Melissa is only the 45th Category 5 in the Atlantic Ocean on record since 1851. These storms require a perfect alignment of prodigious available energy and conducive atmospheric conditions to reach and sustain such powerful wind speeds.”

Hurricane Melissa Turns Toward Jamaica, Bringing 175 M.P.H. Winds and Catastrophic Rains. NYTimes.com article (free) Link includes periodic updates. Pull quote: “Speaking on CNN, Mr. Holness offered a grim outlook, saying that he did not believe there was “any infrastructure within this region that could withstand” a storm that powerful.”

Monster hurricane to hit Jamaica: ‘I have been on my knees in prayer’. WashingtonPost.com article. Pull quote: “Rain is forecast to fall in torrents, totaling up to 40 inches in the mountains, which will result in catastrophic flash flooding and landslides. Storm surge of 9 to 13 feet as well as very large waves are expected to inundate areas near the south coast where the storm makes landfall — with the highest risk in parishes such as Westmoreland, Saint Elizabeth, Manchester and Clarendon. Once the storm moves to the north side of the island and winds change, surge risks will shift into Saint James and Trelawny.”

Bird Flu Is Back. Here’s What to Know. ScientificAmerican.com article. Pull quote: “Keith Poulsen, director of the Wisconsin Veterinary Diagnostic Laboratory and a large animal veterinarian at the University of Wisconsin, notes that several states, including California and Idaho, are seeing ongoing infections in cattle—but that he knows this only because of informal conversations with colleagues. Meanwhile last month the USDA confirmed Nebraska’s first known dairy infection, suggesting the virus is still spreading among herds. But in general, reporting of infections in dairy cattle is slow and disorganized. “We don’t have enough information to know what our risk is, and that’s a pretty precarious position,” Poulsen says. “We don’t know what we don’t know.””

Fifth case of Highly Pathogenic Avian Influenza confirmed at commercial poultry plant in Georgia. WALB.com article. Pull quote: “On Friday, Oct. 24, the Georgia Department of Agriculture’s Emergency Management and State Agricultural Response Teams (SART) went to the plant to conduct depopulation, disposal, cleaning, and disinfection. All commercial poultry plants within a 6.2-mile radius have been placed on quarantine and will undergo surveillance testing for a period of at least two weeks, the release said.”

Strange object between Saturn and Uranus is 'evolving' its own ring system, study suggests. LiveScience.com article. Pull quote: “A team of Brazil-based astronomers found that the bands of material orbiting around (2060) Chiron, a 125-mile-wide (200 kilometers wide) object that circles the sun between Saturn and Uranus, are new and still taking shape. The findings suggest that Chiron's surroundings are in a transitional state somewhere between a chaotic cloud of debris and a fully formed ring system, offering scientists a rare snapshot of ring formation in progress, which has never been directly witnessed before.”

New images of interstellar object 3I/ATLAS show giant 'jet' shooting toward the sun. LiveScience.com article. Pull quote: “These and other peculiarities have led a small group of researchers to controversially claim that the object may be an alien spacecraft sent to spy on us. However, the vast majority of scientists maintain that 3I/ATLAS is a high-speed comet behaving exactly as comets should. The new images of the interstellar interloper, captured Aug. 2 by the Two-meter Twin Telescope (TTT) at the Teide Observatory in Spain's Canary Islands, further cement the object's natural origins.”

How Jack Smith’s strongest case against Donald Trump collapsed. WashingtonPost.com article. Pull quote: “Prosecutors believed they had ample evidence that at Mar-a-Lago Trump willfully retained dozens of national defense documents whose release could harm the country’s security. Prosecutors felt they had somewhat less convincing proof he had broken the law when taking records out of D.C., some on Jan. 20, 2021, the day of Biden’s inauguration.”                    

NOTE: Readers will have noticed a decrease in the number and timing of these posts. First, I have decided to cut back on my late night writing, just trying to increase the time available for sleeping, five hours of sleep is just not cutting it any longer, the price of getting older. This means that there will be increasing time conflicts in my morning writing hours, and my paying readers will get priority there. This means that there will be fewer of these posts. Priority will be on Federal Register posts (if/when the government reopens), as well as weather and medical posts. That will inevitably lead to a decrease in Space Geek posts, with those editions probably being longer, with some dating of the articles referenced. Comments and recommendations from readers are welcomed.

CSB Announces Investigation of AES Fatal Explosions

Yesterday the Chemical Safety Board (CSB) announced that it was deploying an investigation team to investigate the fatal explosion at the Accurate Energetic Systems facility in Humphreys County, Tennessee. That incident occurred on October 10^th, 2025 and resulted in 16 deaths, additional serious injuries and severe damage to the facility.

CSB explains the delay in beginning their investigation:

“The CSB team will arrive at the incident scene this week.  Until recently, access to the site was restricted, as it was under the control of the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) while the ATF was analyzing the debris field and removing undetonated explosives and other hazardous materials from the site.  The CSB has been in regular contact with the ATF since the explosion occurred and is deploying investigators now that the ATF has completed its activities and returned control of the site back to AES.  The CSB also has been communicating with AES and has requested a range of information and materials from the company about the facility and its operations.”

While this announcement is not officially opening an investigation into the incident, with the number of deaths involved, the CSB will almost certainly be conducting a full investigation of the incident. The Borad currently has eight official investigations underway.

Review - S 2980 Introduced – Composite Pipes for H2 Pipelines

Earlier this month Sen Moran (R,KS) introduced S 2980, the Innovative and Safe Hydrogen Transportation Act. This bill would require DOT to “complete a study assessing the potential and existing use of pipelines constructed with composite materials to safely transport hydrogen and hydrogen blended with natural gas.” No funding is authorized by this legislation.

S 2980 is essentially the same as HR 6510, the Hydrogen Safety and Environmental Responsibility Act, that was introduced in the House by Rep Molinaro (R,NY) in November 2023. No further action was taken on that bill in the House in the 118th Congress. Additionally, a very similar version of this language was included in HR 6494, the PIPES Act of 2023. Section 14 of that bill would require the same study, except it would give DOT 24 months to complete the study instead of the 18 months provided in this bill. That bill was ordered reported favorably by the House Transportation and Infrastructure Committee in June of 2023. The Committee Report and a reported version of the bill were published, but no further action was taken on the bill in the 118^th Congress.

Moving Forward

Moran is a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. While the bill does include a regulatory requirement (generally an anathema for Republicans), this is a permissive regulatory requirement so this may avoid Republican opposition. I expect that there will be bipartisan support for this bill. That should be sufficient in Committee, but this bill is not politically important enough to allow for consideration by the full Senate under regular order. I suspect that there will be enough regulatory resentment and/or alternative-fuel opposition to prevent this bill from being approved under the Senate’s unanimous consent process.

Commentary

The requirement for this study in the bill is pro forma in nature. The heart of this bill is the requirement in §2(e) for DOT to move forward with a rulemaking “to allow for the use of composite materials for pipeline transportation of hydrogen and hydrogen blended with natural gas.” This presupposes that the study would find that such composite use would be safe.

The interest in composite materials in this bill is because hydrogen gas is very reactive with most metals used in pipeline construction. This results in an increase in brittleness of the metal and a decrease in the strength of the pipeline. The composite material can be either a high-strength plastic pipe or a plastic lining to a conventional metal pipe.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2980-introduced-composite-pipes - subscription required.

Review - S 2866 Introduced – Ag Cybersecurity

Earlier this month Sen Budd (R,NC) introduced S 2866, the Cybersecurity in Agriculture Act of 2025. The bill would require the National Institute of Food and Agriculture (NIFA) to establish five Regional Agriculture Cybersecurity Centers (RACC) to carry out research, development, and education on agriculture cybersecurity. The bill would amend the National Agricultural Research, Extension, and Teaching Policy Act of 1977, adding a new §1473I. The bill would authorize $25 million in annual spending to support the Centers through 2030.

The bill is similar to similar to HR 4387, the Cybersecurity in Agriculture Act of 2023, that was introduced in the House in June of 2023 by Rep Nunn (R,LA). No action was taken on that bill in the 118^th Congress. Most of the differences are editorial (format and word changes) in nature with the exception of the addition of paragraph (b)(9) which would require that the described cybersecurity activities are specifically designed to prevent cyberattacks from the usual nation-state suspects.

Commentary

There is one major deficiency in this bill, it lacks any mention of cybersecurity vulnerabilities in agricultural systems. The RACCs should conduct vulnerability research, act as vulnerability disclosure coordinators for agricultural systems, and coordinate with CISA’s NCCIC in publishing advisories about reported vulnerabilities.

To support those vulnerability related efforts, I would add a new §1473I(b)(9):

“(9) conduct vulnerability research on agricultural control systems, act as a coordinator between researchers and vendors, and, in coordination with CISA’s National Cybersecurity and Communications Integration Center, publish advisories describing discovered cybersecurity vulnerabilities in agricultural control systems.”

For more details about the provisions of this bill, including a discussion about the lack of definitions of cybersecurity terms, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2866-introduced-ag-cybersecurity - subscription required.

Short Takes – 10-25-25 – Federal Edition

Beautifying Transportation Infrastructure Council. Federal Register DOT notice. Summary: “The Department announces the establishment of the Beautifying Transportation Infrastructure Council, which will advise the Secretary of Transportation on enhancing the aesthetic value of our Nation's transportation systems. In addition, the Department is soliciting nominations for membership of the Council.” Definitely a high-profile, middle of a shutdown notice. SIGH 

CVE Quality for a Cyber Secure Future. CISA.gov fact sheet. Pull quote: “Improving transparency, visibility, responsiveness, and data enrichment across all CVE Records is important for the CVE Program to fulfill its mission. While promoting CVE Program federation in the form of CNA community growth, CISA will also prioritize improvements in these areas appropriate to the unique roles that CNA-LRs play in the ecosystem. CISA will lead by example and manage program performance by raising the standards for transparency, communication, and responsiveness to community queries.”

Proclamation 10985 - National Cybersecurity Awareness Month, 2025. Federal Register.

OMB Approves EPA PFAS TSCA Reporting NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the EPA on “Perfluoroalkyl and Polyfluoroalkyl Substances (PFAS) Data Reporting and Recordkeeping under the Toxic Substances Control Act (TSCA); Revision to Regulation”. The NPRM was sent to OMB on August 29^th, 2025.

According to the entry for this rulemaking in the Spring 2025 Unified Agenda:

“The Environmental Protection Agency (EPA or Agency) is considering a proposed rule to amendments to the Toxic Substances Control Act (TSCA) regulation for reporting and recordkeeping requirements for perfluoroalkyl and polyfluoroalkyl substances (PFAS). As promulgated in October 2023, the regulation requires manufacturers (including importers) of PFAS in any year between 2011-2022 to report certain data to EPA related to exposure and environmental and health effects. EPA plans to propose the incorporation of certain exemptions and other modifications to the scope of the reporting rule.”                      

Generally, I do not cover TSCA rulemakings in any detail in this blog, and I do not expect this to be an exception to that rule. I will, at least, mention publication of this rule in the appropriate ‘Short Takes’ post.

Review – Public ICS Disclosures – Week of 10-18-25

This week we have bulk vendor disclosures from Moxa (6). There are eight additional vendor disclosures from ABB, Belden, HP (3), Pilz, Sauter, and Zyxel. We also have three vendor updates from ABB (2) and HP.

Bulk Disclosures

Bulk Advisories – Moxa

• CVE-2025-1679, CVE-2025-1680: Stored Cross-site Scripting (XSS) and Host Header Injection Vulnerabilities in Ethernet Switch,

• Security Enhancement: Modbus/TCP Discrete Input Access,

• Security Enhancement: Modbus/TCP Device Identification,

• Security Enhancement: SNMP Agent Default Community Name (public),

• Security Enhancement: SSH Weak MAC Algorithms Enabled, and

• Security Enhancement: SSH Weak Key Exchange Algorithms Enabled.

Advisories

ABB Advisory - ABB published an advisory that describes a heap-based buffer overflow vulnerability in their Terra AC wallbox.

Belden Advisory - Belden published an advisory that discusses the Blast-RADIUS vulnerability. Belden

HP Advisory #1 - HP published an advisory that discusses an out-of-bounds read vulnerability in multiple notebook and desktop PCs.

HP Advisory #2 - HP published an advisory that discusses two vulnerabilities in multiple notebook and desktop PCs.

HP Advisory #3 - HP published an advisory that discusses an out-of-bounds write vulnerability in multiple notebook PCs.

Pilz Advisory - CERT-VDE published an advisory that discusses an integer overflow or wraparound vulnerability (with publicly available exploits) in the Pilz PASvisu Runtime product.

Sauter Advisory - CERT-VDE published an advisory that describes six vulnerabilities in the Sauter modulo 6 devices.

Zyxel Advisory - Zyxel published an advisory that describes two vulnerabilities in their ZLD firewalls.

Updates

ABB Update #1 - ABB published an update that provides additional information on the ALS-mini-S4/S8 IP advisory that was originally published on October 20^th, 2025.

ABB Update #2 - ABB published an update that provides additional information on the CoreSense advisory that was originally published on April 16^th, 2025, and most recently updated on October 10^th, 2025.

HP Update - HP published an update that provides additional information on their AMD Transient Scheduler advisory that was originally published on July 10^th, 2025, and most recently updated on August 15^th, 2025.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-174 - subscription required.

Review - HR 5078 Introduced – PILLAR Act

Last month Rep Ogles (R,TN) introduced HR 5078, the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act. The bill would reauthorize CISA’s State and local cybersecurity grant program through 2035 (the program terminated on September 30^th, 2025), including updating 6 USC 665g. Changes include clarifying that the grant program could be used to support operational technology, as well as information systems. There is no specific funding provided in this reauthorization, instead the funding would be “subject to the availability of appropriations”.

Markup Hearing

On September 9^th, 2025, the House Homeland Security Committee held a business meeting that considered seven bills, including HR 5078. The bill was ordered reported favorably by a strongly bipartisan vote of 21 to 1. The Committee Report has not yet been published.

Moving Forward

The bipartisan support in Committee almost guarantees that the bill will be considered in the full House under the suspension of the rules process. While this process restricts debate, prohibits floor amendments, and requires a supermajority for passage, it also increases the chance that the bill will be considered; more bills are considered under the suspension process than are considered under regular order.

 

For more information about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5078-introduced-pillar-act - subscription required.

Transportation Chemical Incidents – Week of 9-20-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 590 (547 highway, 37 air, 6 rail, 0 water)

• Serious incidents – 3 (3 Bulk release, 0 evacuation, 0 injury, 0 death, 1 major artery closed, 1 fire/explosion, 40 no release)

• Largest container involved – 30,400-gal DOT 117J100W Railcar {Alcohols, N.O.S.} Gaskets deteriorated due to fire adjacent to railcar.

• Largest amount spilled – 400-gal DOT 117J100W Railcar {Alcohols, N.O.S.} Gaskets deteriorated due to fire adjacent to railcar. NOTE: Different railcar same incident.

• Total amount reported spilled in all incidents – 2401.2-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Triethylamine: A clear colorless liquid with a strong ammonia to fish-like odor. Flash point 20°F. Vapors irritate the eyes and mucous membranes. Less dense (6.1 lb / gal) than water. Vapors heavier than air. Produces toxic oxides of nitrogen when burned. (Source: CameoChemicals.NOAA.gov).

 

Review – 5 Advisories and 3 Updates Published –

Today CISA’s NCCIC-ICS published four control system and one medical device security advisory for products from Delta Electronics, Veeder-Root, ASKI Energy, AutomationDirect, and NIHON KOHDEN. They also published updates for advisories for products from Schneider (2) and Hitachi Energy.

Advisories

Delta Advisory - This advisory describes two stack-based buffer overflow vulnerabilities in the Delta ASDA-Soft servo software.

NOTE: I briefly discussed these vulnerabilities on Sunday.

Veeder-Root Advisory - This advisory describes two vulnerabilities in the Veeder-Root TLS4B Automatic Tank Gauge System.

ASKI Advisory - This advisory describes a missing authentication for critical function vulnerability in the ASKI ALS-mini-S4/S8 IP controllers.

NOTE: ASKI Energy is a subsidiary of ABB.

AutomationDirect Advisory - This advisory describes nine vulnerabilities in the AutomationDirect Productivity PLCs.

NIHON KOHDEN Advisory - This advisory describes a NULL pointer dereference vulnerability in the NIHON KOHDEN Central Monitor CNS-6201.

Updates

Schneider Update # 1 - This update provides additional information on the Altivar Products advisory that was originally published on September 16^th, 2025.

Schneider Update #2 - This update provides additional information on the EcoStruxure advisory that was originally published on February 6^th, 2025, and most recently updated on July 15^th, 2025.

Hitachi Energy Update - This update provides additional information on the MACH SCM advisory that was originally published on April 25^th, 2024.

NOTE: I briefly discussed this updated information on October 5^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-3-updates-published-3e1 - subscription required.

Review - Bills Introduced – 10-22-25

Yesterday, with just the Senate in Washington (Johnson is still keeping the House out of Washington), there were eight bills introduced. One of those bills will receive additional coverage in this blog: 

S 3032 A bill to extend the authority for the protections of certain facilities and assets from unmanned aircraft. Peters, Gary C. [Sen.-D-MI]

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

S  3029 A bill to provide for Department of Energy and National Aeronautics and Space Administration research and development coordination, and for other purposes. Sullivan, Dan [Sen.-R-AK]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-10-22-25 - subscription required.

Review – S 2049 Introduced – NTIA Cybersecurity Office

Back in June Sen Hickenlooper (D,CO) introduced S 2049, the NTIA Policy and Cybersecurity Coordination Act. The bill would transform the current NTIA Office of Policy Analysis and Development (OPAD) into the Office of Policy and Cybersecurity Coordination. No new funding is authorized by this legislation.

The bill would amend the National Telecommunications and Information Administration Organization Act by adding a new §106, Office of Policy Development and Cybersecurity.

The bill is essentially the same as S 1526 that was introduced last session by Sne Hickenlooper (D,CO), but no action was taken on that bill in the Senate.

Moving Forward

Hickenlooper, along with all three of his cosponsors {Sen Capito (R,WV), Sen Curtis (R,UT), and Sen Blunt-Rochester (D,DE)}, are members of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I expect that there will some level of bipartisan support for the bill, but it probably will not be sufficient to allow the bill to be considered by the full Senate under the unanimous consent process. This bill is not politically important enough to take up the Senate’s time under regular order.

 

For more information on the provisions of this bill, as well as a commentary on a possible change in the legislative environment for this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2049-introduced-ntia-cybersecurity - subscription required.

Review – 7 Advisories and 3 Updates Published – 10-21-25

Today CISA’s NCCIC-ICS published six control system and one medical device security advisory for products from Raisecomm, CloudEdge, Siemens (2), Rockwell (2), and Oxford Nanopore Technologies. They also published three control systems security updates for products from Schneider.

Advisories

Raisecomm Advisory - This advisory describes an authentication bypass using alternate path or channel vulnerability in the Raisecomm RAX701-GC products.

CloudEdge Advisory - This advisory describes an improper neutralization of wildcards or matching symbols vulnerability in the CloudEdge App and CloudEdge Online Cameras.

Siemens Advisory #1 - This advisory describes four vulnerabilities in the Siemens Ruggedcom product line.

Siemens Advisory #2 - This advisory describes two vulnerabilities in the Siemens SIMATIC S7-1200 CPU V1 and SIMATIC S7-1200 CPU V2 families.

Rockwell Advisory #1 - This advisory describes an uncaught exception vulnerability in the Rockwell Compact GuardLogix 5370.

NOTE: I briefly discussed this vulnerability on Sunday.

Rockwell Advisory #2 - This advisory describes two vulnerabilities in the Rockwell 1783-NATR product.

Oxford Advisory - This advisory describes three vulnerabilities in the Oxford MinKNOW DNA and RNA sequencing device.

Updates 

Schneider Update #1 - This update provides additional information on the Modicon Controllers advisory that was originally published on May 20^th, 2025, and most recently updated on July 15^th, 2025.

NOTE: I briefly discussed this vulnerability on Sunday.

Schneider Update #2 - This update provides additional information on the Modicon Controllers advisory that was originally published on December 19^th, 2024.

NOTE: I briefly discussed this vulnerability on Sunday.

Schneider Update #3 - This update provides additional information on the Pro-face GP advisory that was originally published on February 4^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-3-updates-published-27b - subscription required.

Review - FERC Publishes Regulation Sunset Rules 10-21-25

Today the Federal Energy Regulatory Commission (FERC) published two rulemakings in the Federal Register, both relating to the sunset date requirements of EO 14270, Zero-Based Regulatory Budgeting to Unleash American Energy. The first rulemaking (90 FR 48397-48408) is a direct final rule (DFR); it would add a sunset date of December 5^th, 2026 to each of several sections of 18 CFR Parts 2, 5, 36, 131, 153, 156, 157, 203,  206, 287, 300, 366, 375, and 385. Absent any ‘significant adverse comment’ submitted in response to this DFR, this rule goes into effect on December 5^th, 2025.

The second rulemaking (90 FR 48419-48421) is a notice of proposed rulemaking (NPRM) on the same topic. Effectively, it only comes into play if there are any significant adverse comments filed on the DFR above. According to the NPRM preamble:

“This NOPR ensures that the Commission has a proceeding through which it can consider any significant adverse comments that might be filed in response to the direct final rule and determine whether to proceed with finalizing specific sunsetting regulations.”

Public Comments

FERC is soliciting comments on the DFR (which may transfer to the NPRM if FERC declares any of the comments to be significant adverse comments). Comments may be submitted via electronic comments via https://ferconline.ferc.gov/QuickComment.aspx. Comments should be submitted by November 20^th, 2025.

 

For more information on the provisions of these two rulemakings, including commentary on missed deregulatory credit, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/ferc-publishes-regulation-sunset - subscription required.

Short Takes – 10-20-25

Meet the man building a starter kit for civilization. TechnologyReview.com article. Pull quote: “The final goal of Open Source Ecology is a “zero marginal cost” society, where producing an additional unit of a good or service costs little to nothing. Jakubowski’s interpretation of the concept (popularized by the American economist and social theorist Jeremy Rifkin) assumes that by eradicating licensing fees, decentralizing manufacturing, and fostering collaboration through education, we can develop truly equitable technology that allows us to be self-sufficient. Open-source hardware isn’t just about helping farmers build their own tractors; in Jakubowski’s view, it’s a complete reorientation of our relationship to technology.”

Cybersecurity Awareness Month: Stop the Spread: Diagnosing and Defeating Tool Sprawl in Cybersecurity. GuidePointSecurity.com blog post. Pull quote: “If you are unable to get an organizational view of your true risk, you’re flying blind. Disconnected tools make it harder to measure effectiveness, detect threats quickly, or make informed security decisions.” A short, advertorial for their  whitepaper.

Something from “space” may have just struck a United Airlines flight over Utah. ArsTechnica.com article. Pull quote: “That [human space debris] was the initial conclusion of the pilot, but a meteor is more likely than space debris. Estimates vary, but a recent study in the journal Geology found that about 17,000 meteorites strike Earth in a given year. That is at least an order of magnitude greater than the amount of human-made space debris that survives reentry through Earth’s atmosphere.”

EO 14356 - Ensuring Continued Accountability in Federal Hiring – Federal Register

Review – Committee Hearings – Week of 10-19-25

This week, with the Senate in Washington and the House sitting quietly on the sidelines, there is a relatively lite hearing schedule. There is one markup hearing of note and a chemical safety hearing.

Markup Hearings

On Tuesday, the Senate Commerce, Science, and Technology Committee will hold a business meeting that will consider three nominations and eight pieces of legislation, with one of particular interest here: S 2975, the PIPELINE Safety Act of 2025.

Chemical Safety

On Thursday, the Subcommittee on EPW Chemical Safety, Waste Management, Environmental Justice, and Regulatory Oversight of the Senate Environment and Public Works Committee will hold a hearing on “Examining the Beneficial Use and Regulation of Chemicals”.

 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-10-19 - subscription required.

Review – Public ICS Disclosures – Week of 10-11-25 – Part 2

For Part 2 we have 11 additional vendor disclosures from Phoenix Contact (2), Rockwell Automation (2), Schneider, Sick (2), Supermicro, and Westermo (3). We have 20 bulk updates from Schneider (5), and Siemens (15). We have three additional vendor updates from B&R Automation, CODESYS, and HP. Finally, we have four researcher reports describing vulnerabilities in products from Red Lion and Ilevia (3).

Advisories

Phoenix Contact Advisory #1 - Phoenix Contact published an advisory that describes four vulnerabilities in their QUINT4-UPS EIP uninterruptible power supplies.

Phoenix Contact Advisory #2 - Phoenix Contact published an advisory that describes a code injection vulnerability in their CHARX SEC-3xxx charging controllers.

Rockwell Advisory #1 - Rockwell published an advisory that describes an uncaught exception vulnerability in their Compact GuardLogix 5370 product. Rockwell

Rockwell Advisory #2 - Rockwell published an advisory that describes two vulnerabilities in their 1715 EtherNet/IP Comms Module.

Schneider Advisory - Schneider published an advisory that describes an allocation of resources without limits or throttling vulnerability in their EcoStruxure OPC UA Server Expert and EcoStruxure Modicon Communication Server products.

Sick Advisory #1 - Sick published an advisory that describes 18 vulnerabilities in their Enterprise Analytics and Logistic Analytics products.

Sick Advisory #2 - Sick published an advisory that discusses 28 vulnerabilities in their Endress+Hauser SSG-E210GC. These are third-party vulnerabilities.

Supermicro Advisory - Supermicro published an advisory that discusses an improper access control vulnerability.

Westermo Advisory #1 - Westermo published an advisory that describes a cleartext transmission of sensitive information vulnerability in their RADIUS Server Groups.

Westermo Advisory #2 - Westermo published an advisory that describes a cleartext transmission of sensitive information in their WeOS 5.

Westermo Advisory #3 - Westermo published an advisory that describes an improper restriction of communications channel to expected endpoints vulnerability in their WeOS 5.

Bulk Updates

Schneider

• Multiple Altivar Process Drives and Communication Modules,

• Modicon Controllers M241 / M251, M258 / LMC058 and M262,

• Modicon M241 / M251 / M258 / LMC058,

• FlexNet Publisher Vulnerability, and

• Modicon Controllers M241 / M251 / M258 / LMC058

Siemens

• Vulnerability in Nozomi Guardian/CMC on RUGGEDCOM APE1808 Devices,

• Open Redirect Vulnerability in SIMATIC S7-1500 and S7-1200 CPUs,

• Multiple Vulnerabilities in User Management Component (UMC),

• Deserialization Vulnerability in Siemens Engineering Platforms,

• Denial of Service Vulnerabilities in User Management Component (UMC),

• Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices,

• Deserialization Vulnerability in Siemens Engineering Platforms,

• Buffer Overflow Vulnerability in RUGGEDCOM ROS Devices,

• Improper Integrity Check of Firmware Updates in SiPass integrated AC5102 / ACC-G2 and ACC-AP,

• DLL Hijacking Vulnerability in Siemens Web Installer used by the Online Software Delivery,

• Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1,

• XML External Entity (XXE) Injection Vulnerability in SIMOTION SCOUT,

• Multiple Vulnerabilities in RUGGEDCOM ROS Devices,

• Unauthenticated Information Disclosure in Web Server of SIMATIC S7-1500 CPUs, and

• Heap-based Buffer Overflow Vulnerability in User Management Component (UMC).

Updates

B&R Update - B&R published an update for their System Diagnostic Manager advisory that was originally published on October 7^th, 2025.

CODESYS Update - CODESYS published an update for their Control V3 advisory that was originally published on August 4^th, 2025, and most recently updated on September 1^st, 2025.

HP Update - HP published an update for their Intel 2024.3 IPU advisory that was originally published on October 24^th, 2024, and most recently updated on March 31^st, 2025.

Researcher Reports

Red Lion Report - Claroty published a report describing two vulnerabilities in the Red Lion Sixnet RTU’s.

Ilevia Reports - Zero Science published four reports describing vulnerabilities in the Ilevia EVE X1 Server. The reports include links to exploits.

 

For more information on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-568 - subscription required.

Review - Bills Introduced – 10-17-25

Yesterday with the House meeting in pro forma session and the Senate home for the weekend, there were 41 bills introduced. One of those bills will receive additional coverage in this blog:

HR 5770 To establish biotechnology workforce training programs for Department of Defense personnel, and for other purposes. Houlahan, Chrissy [Rep.-D-PA-6]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, including a mention in passing of a resolution honoring the WHMU, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-10-17-25 - subscription required.

Review – Public ICS Disclosures – Week of 10-11-25 – Part 1

This week is a relatively light disclosure week for cyber week. For Part 1 we have 35 bulk disclosures from Broadcom (8), Dassault Systems (5), FortiGuard (17), and HPE (5).  We have additional 10 vendor disclosures from Bosch (2), Delta Electronics, Eaton, HP (3), Moxa, Murrelektronik, and Philips.

Bulk Disclosures

Broadcom Advisories

• Brocade ASCG Vulnerability Disclosures,

• jwt-go allows excessive memory allocation during header parsing,

• Rocky Linux Updates in ASCG 3.3.0a (OVA),

• eventlet before 0.35.2 as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution,

• Libexpat: expat: improper restriction of xml entity expansion depth in libexpat,

• A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing,

• Certifi Vulnerable to Insufficient Verification of Data Authenticity via GlobalTrust Root Certificate, and

• Kernel OVA security updates in ASCG 3.3.0a

Dassault Advisories

• Stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer,

• OS Command Injection vulnerability affecting Station Launcher App in 3DEXPERIENCE platform,

• Stored Cross-site Scripting (XSS) vulnerability affecting 3DSearch in 3DSwymer,

• Stored Cross-site Scripting (XSS) vulnerability affecting Issue Management in ENOVIA Collaborative Industry Innovator, and

• Stored Cross-site Scripting (XSS) vulnerability affecting Specification Management in ENOVIA Specification Manager

FortiGuard Advisories

• Authenticated Heap Overflow in SSL-VPN bookmarks,

• Domain fronting protection bypass in explicit web proxy,

• FGFM protocol allows unauthenticated reset of the connection,

• Heap Overflow in fgfmsd,  

• Heap buffer overflow in websocket,  

• Improper autorization over static files,  

• Insertion of Sensitive 2FA Information in logs and debug command,

• Insertion of Sensitive Information Into Sent Data Vulnerability in csfd daemon,  

• Insufficient Session Expiration in SSLVPN using SAML authentication,  

• Missing authentication check in OFTP service,  

• Multiple Unchecked Return Value leading to Null Pointer Dereference,  

• Open Redirect and XSS in Web Filter warning page,  

• Race condion in FortiCloud SSO SAML authentication,

• Restricted CLI command bypass,

• Stack-based buffer overflow on fortitoken import feature,

• Weak authentication in WAD/GUI, and

• ZTNA Server Improper Certificate Validation  

HPE Advisories

• HPESBNW04958 rev.1 - HPE Aruba Networking AOS-8 Instant AP and AOS-10 AP, Multiple Vulnerabilities,

• HPESBNW04957 rev.1 - HPE Aruba Networking AOS-10 and AOS-8 Mobility Conductor, Controllers, and Gateways, Multiple Vulnerabilities,

• HPESBHF04956 rev.1 - Certain HPE ProLiant AMD Servers Using Certain AMD EPYC Processors, AMD-SB-3020: SEV-SNP RMP Initialization Vulnerability, Local Unauthorized Access Vulnerability,

• HPESBHF04952 rev.1 - HPE ProLiant RL300 Gen11 Server, Out-of-Bound Reads Vulnerability, and

• HPESBHF04954 rev.1 - HPE Compute Scale-up Server 3200 Platform and Superdome Flex 280 servers, Security Bypass Vulnerability 

Advisories

Bosch Advisory #1 - Bosch published an advisory that describes three vulnerabilities in their ctrlX OS Setup application.

Bosch Advisory #2 - Bosch published an advisory that discusses an allocation of resources without limits or throttling vulnerability in their Rexroth Fieldbus Couplers.

Delta Advisory - Delta published an advisory that describes two stack-based buffer overflow vulnerabilities in their ASDA-Soft product.

Eaton Advisory - Eaton published an advisory that describes an uncontrolled search path vulnerability in their Intelligent Power Protector (IPP) software.

HP Advisory #1 - HP published an advisory that discusses three vulnerabilities in multiple HP product lines.

HP Advisory #2 - HP published an advisory that discusses two incorrect privilege assignment vulnerabilities in multiple product lines using Sound Research SECOMN64 driver.

HP Advisory #3 - HP published an advisory that discusses an improper access control for register interface vulnerability in multiple HP product lines.

Moxa Advisory - Moxa published an advisory that describes five vulnerabilities in their Network Security Appliances and Routers.

Murrelektronik Advisory - CERT-VDE published an advisory that describes a clear-text transmission of sensitive information vulnerability in the Murrelektronik IMPACT67 Pro products.

Philips Advisory - Philips published an advisory that discusses CISA Emergency Directive 26-01.

 

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-74f - subscription required.