Short Takes – 12-24-25

Civil Monetary Penalty Adjustments for Inflation. Federal Register CG & TSA final rule. Summary: “On January 2, 2025, DHS adjusted for inflation its civil monetary penalties for 2025, in accordance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 and Executive Office of the President (EOP) Office of Management and Budget (OMB) guidance. The new penalty amounts were effective for penalties assessed after January 2, 2025, whose associated violations occurred after November 2, 2015. DHS is making a technical amendment to the Code of Federal Regulations to make several clerical revisions to the codified 2025 penalty amounts.” Effective date: December 29^th, 2025.

TUESDAY MEASLES UPDATE: DPH Reports Nine New Measles Cases in Upstate, Bringing Outbreak total to 153. DPH.SC.gov press release. Pull quote: “The South Carolina Department of Public Health (DPH) is reporting 9 new cases of measles in the state since Friday, bringing the total number of cases in South Carolina related to the Upstate outbreak to 153 and the total number reported to DPH this year to 156.”

Here's Where Measles Case Counts Are Highest. MedPageToday.com article. Pull quote: “A large measles outbreak began in West Texas on Jan. 20, 2025 and was declared over in August. But scientists are studying whether the D8-9171 measles strains circulating in Utah and Arizona are related to that outbreak, according to the Yale report.”

Weapons maker says it's seeing surging European interest in new kits that turn machine guns into drone-killers. BusinessInsider.com article. Pull quote: “When activated, the system lets a soldier hold down the trigger while Arbel automatically releases rounds at the moments they're most likely to hit the target. It can bring down drones at roughly 450 meters in daylight and 200 meters at night.”

Capturing Rogue Drones. HomelandSecurityNewswire.com article. Pull quote: “Also newly integrated is an in-house target acquisition system. It relies on LiDAR sensors to detect a potential target object, after which a camera uses AI to verify it. “This ensures that the object really is a drone and not, for instance, a bird,” Rothe adds. ”

NIST, MITRE announce $20 million research effort on AI cybersecurity. CyberScoop.com article. Pull quote: “But in order to help, Barlet said that NIST and the government must ensure those sectors have a meaningful seat at the table and can translate any research insights into workable solutions. Getting those parties on board will be crucial because, he said, those are the people “who will be answering to Congress if something goes wrong, not the AI developers.””

AI Is About to Transform Nuclear Energy, and the United States Isn’t Ready. NationalInterest.com article. Pull quote: “I work at the intersection of nuclear regulation, international trade controls, and the emerging advanced-reactor industry. And in that space I can attest that the convergence of nuclear and AI is no longer theoretical —it is the daily reality of developers, government partners, and defense planners. The most sophisticated advanced reactor companies already treat software and data as core components of their safety and engineering philosophy. Cloud-native modeling environments, AI-assisted design optimization tools, automated supply chain verification systems, and data-rich remote operations platforms are now embedded in the DNA of the new generation of reactors and the companies that are developing them. And it has implications for all levels of regulation of the nuclear energy industry.”

COVID Vaccines Slashed Kids’ ER Visits by 76 Percent, Study Finds. ScientificAmerican.com article. Pull quote: “The new study [link added] looked at a period spanning from August 29, 2024, through September 2, 2025, across nine states. During that time, about 38,000 children were hospitalized with COVID—a rate of about 53 per 100,000. The highest rate was in children younger than six months old, of whom 600 per 100,000 were hospitalized. Children under six months of age are too young to get vaccinated, but vaccination during pregnancy provides some protection for those first six months.”

‘Ghost Fire’ in Marshes Sparked by Strange Chemistry. ScientificAmerican.com article. Pull quote: “Now a paper published in the Proceedings of the National Academy of Sciences USA seems to provide an answer: microlightning, or tiny, spontaneous sparks of electricity that occur because of differences in charge on water droplets’ surfaces. These droplets form when water bubbles containing methane rise and burst at the surface of the marsh, and the resulting sparks ignite the methane to create will-o’-the-wisps’ telltale luminescence.”

Backlog List – Medical

First Documented Death From Meat Allergy Tied to Tick Bite,

Why ‘subclade K’ could make for a nasty flu season,

What to Know About the H3N2 Flu Strain That Has Experts Concerned,

Measles cases surge as deaths decline globally: WHO,

Bats might be the next bird flu wild card, and

Hundreds quarantined as South Carolina measles outbreak accelerates.

Review – CSB Publishes Interim Recommendations in Coke Explosion Investigation

Yesterday the Chemical Safety Board (CSB) announced that they were taking the unusual step of publishing two safety recommendations relatively early in their investigation of the fatal explosion and fire at the U.S. Steel Clairton Coke Works on August 11^th. 2025. The CSB published an initial description of the incident on September 29^th, 2025. The final report on this investigation, when completed, may contain additional recommendations.

Yesterday’s action brings the total number of CSB incident investigation recommendations to 1027, with 121 recommendations still open. Currently there are nine open CSB investigations, including the Coke Works inquiry.

 

For more information on yesterday’s announcement, the recommendations, and the reason for issuing these interim recommendations, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-publishes-interim-recommendations - subscription required.

Review - HR 6429 Introduced – Diverse Cybersecurity Workforce

Earlier this month, Rep Brown (D,OH) introduced HR 6429, the Expanding Cybersecurity Workforce Act of 2025. The bill would require CISA to establish, within their current Cybersecurity Education and Training Assistance Program (CETAP), a new program to promote the cybersecurity field to disadvantaged communities. It would authorize $20 million per year through 2030 to support the program

HR 6429 is essentially the same as HR 8469, the Diverse Cybersecurity Workforce Act of 2024, that was introduced by Brown in May 2024. No additional actions were taken on that bill in the 118^th Congress.

Moving Forward

While Brown is not a member of the House Homeland Security Committee to which this bill was assigned for consideration, five of her 29 cosponsors {Ranking Member Thompson (D,MS), Rep Goldman (D,NY), Rep Ramirez (D,IL), Rep Johnson (D,TX), Rep Carter (D,LA)} are members. This means that there may be sufficient influence to see the bill considered in Committee, but with the lack of any Republican cosponsor (because this is, after all a diversity program), and adding a new program to CISA’s workforce development slate, means that the legislation will have a hard-time getting enough support form committee republicans to be able to move the program to the floor of the House under the suspension of the rules process.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6429-introduced-diverse-cybersecurity subscription required.

Review – 1 Update Published – 12-23-25

Today CISA’s NCCIC-ICS published an update for an advisory for products from Mitsubishi.

Advisories

Mitsubishi Update  - This update provides additional information on the Air Conditioning Systems advisory that was originally published on June 26^th, 2025, and most recently updated on August 21^st, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-update-published-12-23-25 - subscription required.

Short Takes – 12-23-25 – Federal Register Edition

Security Zones; Vessels Carrying Dangerous Cargo, Corpus Christi and La Quinta Ship Channels, Corpus Christi, TX. Federal Register CG notice of proposed rulemaking. Summary: “The Coast Guard is proposing to establish a security zone around vessels carrying Certain Dangerous Cargos (CDCs), for which the Captain of the Port, Corpus Christi deems enhanced security measures are necessary on a case-by-case basis. This security zone is needed to safeguard these vessels, the public, and the surrounding area from sabotage or other subversive acts, accidents, or other events of a similar nature. We invite your comments on this proposed rulemaking.” Comments due January 22^nd, 2026.

Petition To Delist Hazardous Air Pollutant: 2-Butoxyethyl Benzoate (2-BEB). Federal Register EPA notice of proposed rulemaking. Summary: “The U.S. Environmental Protection Agency (EPA or Agency) is proposing to grant a petition to remove 2-Butoxyethyl benzoate (2-BEB) (Chemical Abstract Service (CAS) No. 5451-76-3) from the glycol ethers category in the list of hazardous air pollutants (HAP) in Clean Air Act (CAA). The EPA proposes to find that there are adequate data on the health or environmental effects of 2-BEB to support the request for removal. This action also details a streamlined approach to the review process of future petitions.” Comments due February 20, 2026.

EO 14368 - Adjustments of Certain Rates of Pay. Federal Register.

EO 14369 - Ensuring American Space Superiority. Federal Register.

EO 14370 - Increasing Medical Marijuana and Cannabidiol Research. Federal Register.

EO 14371 - Providing for the Closing of Executive Departments and Agencies of the Federal Government on December 24, 2025, and December 26, 2025. Federal Register.

BIS Withdraws Rare Earths Export IFR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that the DOC’s Bureau of Industry and Security (BIS) had withdrawn their interim final rule (IFR) on “Revisions to the Export Administration Regulations: Rare Earth Minerals and Strategic Metals”. The IFR was sent to OIRA on July 10^th, 2025.

According to the Spring 2025 Unified Agenda Entry for this rulemaking:

“This rule makes revisions to the Export Administration Regulations (EAR) for certain rare earth minerals and strategic metals.”

That description of the purpose of the rulemaking is way short on details, but I would assume that it was part and parcel of the Administration’s on-again, off-again disagreement with the Chinese about trade in rare earth materials. This follows a November BIS suspension of an entities list IFR that impacted Chinese trade.

OMB Approves BIS Drone Export IFR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an interim final rule (IFR) from the DOC’s Bureau of Industry and Security on “Streamlining Export Controls for Drone Exports”. The IFR was sent to OIRA on August 21^st, 2025. This rulemaking was not reported in the Spring 2025 Unified Agenda.

I will probably not be covering this IFR in any detail when it is published, probably after Christmas, in the Federal Register. I will at least note the publication in the appropriate Short Takes post.

CISA Adds Digiever Vulnerability to KEV Catalog – 12-22-25

Yesterday CISA announced that it had added a missing authorization vulnerability in the Digiever DS-2105 Pro, a Linux-embedded standalone NVR. The vulnerability was first reported by Ta-Lun Yen of TXOne Research in 2023. At that time Digiever reported that the DS-2105 Pro had been end-of-life for five years and no fix was planned. Akamai reported in 2024 that they had spotted the vulnerability being exploited in their honey pots in November 2024, and was actively being exploited to spread Miri variant malware. The TXOne report includes generic mitigation measures that may be applicable.

CISA has notified federal agencies using the DS-2105 Pro to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of January 12^th, 2025 has been set to accomplish those actions.

Review – S 3068 Introduced – AG Right-to-Repair

Sen Welch (D,VT) introduced S 3068, the Freedom for Agricultural Repair and Maintenance (FARM) Act. The bill would require covered original equipment manufacturers (OEM) to make available any documentation, part, software, firmware, or tool intended for use in order to diagnose, maintain, upgrade, reprogram, or repair farm equipment. It would also require OEM to make available to owners any farm equipment data generated by the farm equipment of the owner. No new funding is authorized by this bill.

The bill is very similar to HR 5604, the Agricultural Right to Repair Act, introduced by Rep Perez (D,WA) in September 2023. No action was taken on that bill in the 118^th Congress. Most of the differences between the two bills are editorial. The major changes in S 3068 include:

Removing the definition of the ‘embedded software’,

Adding the definition of ‘maintenance’, and

Adding additional enforcement authority for the FTC.

Moving Forward

While Welch is not a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration, one of his two cosponsors, Sen Fetterman (D,OH) is a member. This means that there may be sufficient influence to see the bill considered in Committee. I suspect, however, that there will be substantial opposition to this bill among the Republican members of the Committee, so the bill will not likely be taken up by the Committee.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3068-introduced-ag-right-to-repair - subscription required.

S 2983 Introduced – Cyber Info Sharing

Back in October Sen Peters (D,MI) introduced S 2983, the Extending Expired Cybersecurity Authorities Act. The bill would extend the Cybersecurity Information Sharing Act through September 30^th, 2035. It would also revise the title of that act to read “Protecting America from Cyber Threats Act”.

One provision of this short bill will no longer be necessary. Section 2(b) would make the extension retroactive to October 1^st, 2025. When this bill was written the Cybersecurity Information Sharing Act had expired on September 30^th. Section 149 of the Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs, and Extensions Act, 2026 (PL 119-37) extended this authority until January 30^th, 2026.

Moving Forward

Peters is the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee to which this bill would normally have been assigned for consideration. Instead, this bill was placed directly on the Senate Legislative Calendar under General Orders. Calendar No. 182. This means that the bill could be called up at any time for consideration by the full Senate. Still, the impetus for early consideration of the bill has eased, and it is not likely to be considered until after January 30^th. Of course, if a spending bill or yet another continuing resolution further extends the 6 USC 1510(a) (Note: this version of the section still has not been updated for PL 119-37) termination date, then there will be little political pressure to take up this bill.

Review – HR 4344 Introduced – Resilient PNT Demonstration

Back in July Rep Mullin (D,CA) introduced HR 4344, the Resilient Low Earth Orbit Positioning, Navigation, and Timing (Resilient LEO PNT) Act. The bill would require the Department of the Air Force (DAF) to “carry out a capability demonstration project, to be known as the “Commercial Low Earth Orbit Resilient Positioning, Navigation, and Timing Capability Demonstration””. The “Pathfinder Program” would be conducted subject to the availability of appropriations, effectively passing the spending authorization requirement to the appropriations committees.

I can find no bills in the 118th Congress that look to be similar to HR 4344. ‘Positioning, navigation and timing’ topics are of interest here because of the use of the ‘timing’ feature in these systems by a number of SCADA systems to coordinate operations at disparate locations.

Moving Forward

While Mullan is not a member of the House Armed Services Committee to which this bill was assigned for consideration, one of this two cosponsors, Rep Wittman (R,VA) is a member. This means that there may be sufficient influence to see this bill considered in committee. Lacking any specific funding authorization, I see nothing in this bill that would engender any organized opposition. Having said that, I also suspect that there could still be some resistance to supporting a bill that would potentially cost an unspecified, but significant, amount of money. Still, I would suspect that there would be some level of bipartisan support for this bill were it to be considered.

Commentary

The ability to ‘restore service’ in a timely manner is going to be an increasing requirement for DOD satellite services. This means that the vendor is going to need to demonstrate the capability to launch replacement satellites on a near demand basis.  Depending on the size and weight of the satellite, there are an increasing number of launch providers that could provide relatively quick response launch capabilities. This also means that the PNT service provider is probably going to have to have some number of satellites on hand, available to launch and activate when needed.

 

For more information on the provisions of this bill, including additional commentary on satellite resiliency, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4344-introduced-resilient-pnt - subscription required.

Chemical Incident Reporting – Week of 12-13-25

NOTE: See here for series background.

La Porte, TX – 12-9-25

Local News Report: Here, here, and here.

There was a fire at a chemical manufacturing facility. There were no reports of injuries or description of damages.

Not CSB reportable.

 

PHMSA Sends Spacecraft HAZMAT ANPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an advanced notice of proposed rulemaking from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) on “Hazardous Materials: Modernizing Regulations to Facilitate Transportation of Spacecraft and Space Related Hazardous Materials”.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“In this rulemaking, PHMSA would amend the Hazardous Materials Regulations (HMR) to modernize and streamline the HMR, where necessary, to facilitate the transportation of hazardous materials involved in U.S. space operations. PHMSA will aim to identify problems and friction with the current regulatory scheme and potentially reduce burdens on both PHMSA and the regulated community while advancing U.S. interests in the space industry. PHMSA would coordinate closely with its interagency partners (Department of Defense, National Aeronautics and Space Administration, etc.) and its modal partners (Federal Aviation Administration, Federal Motor Carrier Safety Administration, Federal Railroad Administration, and U.S. Coast Guard) to ensure a comprehensive approach that allows for the seamless movement of goods across multiple modes of transport while allowing for the specific needs of each mode to be safely addressed.”

Review – Public ICS Disclosures – Week of 12-13-25

This week we have 11 vendor disclosures from Broadcom, HP, HPE (3), Inaba Denki Sangyo, Moxa, Phoenix Contact, and Western Digital (3). There are three vendor updates from Cisco, HPE, and Mitsubishi. There are also four researcher reports about vulnerabilities in products from Grassroot (3) and Sante. Finally, we have an exploit for products from Ilevia.

Advisories

Broadcom Advisory - Broadcom published an advisory that discusses the Meta RSC vulnerability that is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

HP Advisory - HP published an advisory that describes an insertion of sensitive information into a log file vulnerability in the their Poly Video product line.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities (one with publicly available exploits) in their Unified OSS Console Assurance Monitoring product.

HPE Advisory #2 - HPE published an advisory that discusses three vulnerabilities (one with publicly available exploits) in their Telco Service Activator products.

HPE Advisory #3 - HPE published an advisory that describes a code injection vulnerability in their OneView software.

Inaba Advisory - JP-CERT published an advisory that describes three vulnerabilities in the Inaba CHOCO TEI WATCHER mini.

Moxa Advisory - Moxa published an advisory that describes a weak SSH algorithms supported vulnerability in their EDS-510E Series products

Phoenix Contact Advisory - Phoenix Contact published an advisory that describes 15 vulnerabilities in their FL SWITCH 2xxx family.

Western Digital Advisory #1 - Western Digital published an advisory that discusses a detection of error condition without action vulnerability in their My Cloud OS 5 product.

Western Digital Advisory #2 - Western Digital published an advisory that describes a DLL hijacking vulnerability in their WD Discovery product.

Western Digital Advisory #3 - Western Digital published an advisory that discusses a detection of error condition without action vulnerability in their My Cloud Home and My Cloud Home Duo products.

Updates

Cisco Update - Cisco published an update for their REACT server advisory that was originally published on December 4^th, 2025, and most recently updated on December 11^th, 2025.

HPE Update - HPE published an update for their Compute Scale-up Server 3200 Platform advisory that was originally published on October 13, 2025.

Mitsubishi Update - Mitsubishi published an update for their MELSOFT Update Manager advisory that was originally published on July 3^rd, 2025.

Researcher Reports

Grassroot Reports - Cisco Talos published three reports describing four vulnerabilities in the Grassroots DICOM product.

Sante Report - The Zero Day Initiative published a report describing a NULL pointer dereference vulnerability in the Sante PACS server.

Exploits

Ilevia Exploit - Indoushka published an exploit for an OS command injection vulnerability in the Ilevia EVE X1 Server.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-d12 - subscription required.

CISA Adds WatchGuard Vulnerability to the KEV Catalog – 12-29-25

Today CISA announced that it had added an out-of-bounds write vulnerability in the WatchGuard Firebox to their Known Exploited Vulnerabilities (KEV) catalog. WatchGuard published their advisory for the vulnerability yesterday, and updated that advisory with indicators of exploit information. WatchGuard has new versions that mitigate the vulnerability.

CISA has directed federal agencies that use the affected devices to apply  mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. A deadline was set for December 26^th, 2025, to accomplish those actions.

Review – Bills Introduced – 12-18-25

Yesterday, with both the House and Senate in their last day in Washington for 2025, there were 116 bills introduced. One of those bills will receive additional coverage in this blog:

HR 6846 To amend the Homeland Security Act of 2002 to require the Secretary of Homeland Security to conduct annual assessments on terrorism threats to the United States relating to the malicious use of unmanned aircraft systems by covered foreign adversaries, including terrorist organizations, and for other purposes. Crane, Elijah [Rep.-R-AZ-2]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill to require DOE to produce a national threat assessment, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-12-18-25 - subscription required.

S 2866 Sponsor Added – Ag Cybersecurity

Last week two sponsors were added to S 2866, the Cybersecurity in Agriculture Act of 2025. One, Sen Schiff (D,CA) is a member of the Senate Agriculture, Nutrition, and Forestry Committee to which this bill was assigned for consideration. This means that there may now be enough influence to see the bill considered in Committee. It also increases the chance that this language could be added to an agriculture authorization bill.

The bill would require the National Institute of Food and Agriculture (NIFA) to establish five Regional Agriculture Cybersecurity Centers (RACC) to carry out research, development, and education on agriculture cybersecurity. The bill would amend the National Agricultural Research, Extension, and Teaching Policy Act of 1977, adding a new §1473I. The bill would authorize $25 million in annual spending to support the Centers through 2030.

The money authorized in this bill continues to be a major drawback to its consideration in this Congress.

Review – HR 3207 Introduced – UAS Counter Measures for Public Gatherings

Back in May Rep Steube (R,FL) introduced HR 6207, the Disabling Enemy Flight Entry and Neutralizing Suspect Equipment (DEFENSE) Act. The bill would amend 6 USC 124n, adding a new subsection (m), Stadium Security. It would authorize DHS and DOJ to deputize a State or local law enforcement officer to exercise the authority granted by §124n(a) with respect to large public gatherings. No new funding is authorized by this bill.

Moving Forward

While Steube is not a member of the House Judiciary Committee to which this bill was assigned primary consideration, one of his cosponsors, Rep Correa (R,CA), is a member. This means that there may be sufficient influence to see the bill considered in that committee. Additionally, one cosponsor, Rep Titus (D,NV), is a member of the House Transportation and Infrastructure Committee to which this bill was assigned for secondary consideration. This means that there is similar possibility for consideration in that committee.

I suspect that there will be a tendency in the leadership of the Judiciary Committee to decide that the current authority under §124n for DHS should be sufficient to protect such venues with dedicated DHS oversight, absent any specific information about actionable intelligence about any widespread terrorist threat against such gatherings. This is due to the broad exemptions provided in the opening sentence of subsection (a) to a variety of federal statutes that would have to be violated to identify, track and/or take any action against unmanned aircraft systems (UAS). Until a workable way to modify those statutes to allow actions against unauthorized or unsafe UAS is developed, there is going to be continued reluctance to expand counter UAS (cUAS) authorities.

 

For more information about the provisions of this bill, including a commentary about the lack of a Homeland Security Committee referral, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3207-introduced-uas-counter-measures - subscription required.

Senate Passed S 1071 – FY 2026 NDAA

Yesterday, the last day of business in 2025, finished their consideration of S 1071, the FY 2026 National Defense Authorization Act (NDAA). The bill passed by a bipartisan vote of  77 to 20. While there had been concerns about some Republicans supporting the bill, in the final vote Democrats outnumbered GOP no votes 18 to 2. This evening the President signed the bill into law.

Review – 8 Advisories and 1 Update Published – 12-18-25

Today CISA’s NCCIC-ICS published eight control system security advisories for products from Axis Communications, Rockwell Automation, Advantech, Siemens, Mitsubishi Electric, National Instruments, Schneider Electric, and Inductive Automation. They also updated an advisory for products from Mitsubishi.

Advisories

Axis Advisory - This advisory describes four vulnerabilities in multiple Axis surveillance products.

Rockwell Advisory - This advisory describes two vulnerabilities in the Rockwell Micro8xx PLCs.

Advantech Advisory - This advisory describes five vulnerabilities in the Advantech WebAccess/SCADA product.

Siemens Advisory - This advisory describes an improper verification of source of a communications channel vulnerability in the Siemens Interniche IP-Stack used in a wide range of Siemens products.

NOTE: I briefly mentioned this vulnerability on December 14^th, 2025.

Mitsubishi Advisory - This advisory describes an OS command injection vulnerability in multiple Mitsubishi Electric Iconics Digital Solutions products.

NI Advisory - This advisory describes nine vulnerabilities in the NI LabView product.

Schneider Advisory - This advisory discusses a deserialization of untrusted data vulnerability in the Schneider EcoStruxure Foxboro DCS Advisor.

NOTE: I briefly discussed this vulnerability on December 14^th, 2025.

Inductive Advisory - This advisory describes an execution with unnecessary privileges vulnerability in the Inductive Ignition product.

Updates

Mitsubishi Update - This update provides additional information on the CNC Series advisory that was originally published on October 17^th, 2024, and most recently updated on March 18^th, 2025

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-and-1-update-published-f72 - subscription required.

Short Takes – 12-18-25 – Federal Register Edition

Notice of Record of Decision for the Environmental Impact Statement for SpaceX Starship-Super Heavy at Cape Canaveral Space Force Station, Florida. Federal Register Dept of Air Force record of decision. Summary: “The DAF has decided to allow SpaceX to redevelop Space Launch Complex (SLC)-37 at CCSFS for Starship-Super Heavy launch and landing operations. Upon execution of the real property agreement and associated documentation, as analyzed in the Final EIS and while adhering to the mitigation measures identified, SpaceX is authorized to: (1) undertake construction activities necessary to redevelop SLC-37 and associated infrastructure for Starship-Super Heavy operations; (2) conduct prelaunch operations, including the transportation of launch vehicle components and static fire tests; and (3) conduct up to 76 launches and 152 landings annually, once a supplemental analysis of airspace impacts by the Federal Aviation Administration (FAA) is completed. The DAF will assess the airspace analysis conducted by the FAA and finalize a revised ROD prior to Starship-Super Heavy launches or landings occurring at CCSFS.”

Implementation of the Executive Order Entitled “Zero-Based Regulatory Budgeting To Unleash American Energy”; Partial Recission. Federal Register FERC direct final rule. Summary: “The Commission received a significant adverse comment on the amendment to insert a conditional sunset provision in 18 CFR 2.27 (Availability of North American Energy Standards Board (NAESB) Smart Grid Standards as non-mandatory guidance); therefore, the Commission is rescinding that amendment to 18 CFR 2.27.”

NASA Astronaut Candidate Selection (ASCAN) Qualifications Inquiry. Federal Register NASA 60-day ICR renewal notice. Summary: “This collection of information supports the National Aeronautics and Space Act of 1958, as amended, to create opportunities to improve processes associated with the evaluation and selection of individuals to participate in the NASA Astronaut Candidate Selection Program. The NASA Astronaut Selection Office (ASO) located at the Lyndon B. Johnson Space Center (JSC) in Houston, Texas is responsible for selecting astronauts for the various United States Space Exploration programs. In evaluating an applicant for the Astronaut Candidate Program, it is important that the ASO have the benefit of qualitative and quantitative information and recommendations from persons who have been directly associated with the applicant over the course of their career.” Comments due February 17^th, 2026.

EO 14367 - Designating Fentanyl as a Weapon of Mass Destruction. Federal Register.

CISA Adds Sonic Wall Vulnerability to KEV Catalog – 12-17-25

Yesterday CISA announced that it had added a missing authorization vulnerability in the SonicWall SMA CISA Adds Sonic Wall Vulnerability to KEV Catalog – 12-17-25. SonicWall issued their advisory on this vulnerability yesterday. They note that the vulnerability was reported by Clément Lecigne and Zander Work of Google Threat Intelligence Group. That advisory also reports that two other unpatched vulnerabilities are necessary for exploit of the missing authorization vulnerability by unauthorized actors. SonicWall has a new platform hotfix that mitigates this vulnerability.

CISA has required that all federal agencies utilizing this SonicWall product to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable”. The deadline for those actions is December 24^th, 2025.

CSB Provides Update on the Austin Powder Investigations – 12-17-25

This morning the Chemical Safety Board published an update on their investigation in to two NOx releases at Austin Powder facilities in Ohio and Tennessee. The update provides a brief description of both release incidents and outlines the ongoing work being done to determine the root cause of the releases.

CISA Adds FortiGuard Vulnerability to KEV Catalog – 12-16-25

Yesterday CISA announced that they had added an improper verification of cryptographic signature vulnerability in multiple FortiGuard products to their Known Exploited Vulnerabilities (KEV) catalog. FortiGuard previously disclosed the vulnerability along with mitigation measures and new versions that fixed the vulnerability. Three days later Arctic Wolf reported exploits of the vulnerability (along with a related improper verification vulnerability that is not yet been added to the KEV catalog) in the wild.

CISA had directed federal agencies using the affected FortiGuard products to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. A deadline of December 23^rd, 2025 has been provided for those actions.

Review – Bills Introduced – 12-15-25

On Monday, with both the House and Senate in session, there were 44 bills introduced. This post is a day late because of a delay in publishing the listing of 25 of the 28 bills introduced in the House on December 15th. One of those bills may receive additional attention in this blog:

S 3481 A bill to expand the authority to use counter-unmanned aircraft system technologies to State, local, Tribal, and territorial law enforcement and correctional agencies, and for other purposes. Peters, Gary C. [Sen.-D-MI]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a brief mention in passing about a national counterterrorism strategy for schools bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-12-15-25 - subscription required.

Reader Comment – API & ASME CSB Responses

Yesterday William Sommer, MBA, PE left a comment on LinkedIn on my note about my blog post on the CSB’s video on the Yenkin-Majestic Resin Plant Vapor Cloud Explosion and Fire. He asked:

“I was struck by one of the recommendations for the API and ASME to provide design, construction, alteration guidance for low pressure vessels in flammable or highly hazardous chemical service: Does anyone know status and where to find?”

I have no insight into the status of the development of the design criteria within the American Petroleum Institute (API) and the American Society of Mechanical Engineers (ASME). I can, however, provide a little more information on the CSB’s take on the status of these recommendations; the data comes from the CSB’s Recommendations Statistics page and the September 23^rd, 2025, downloadable spread sheet on that page. Both recommendations were issued on November 30^th, 2023. The table below summarizes the pertinent data about the two recommendations.

 

 

The text of the API recommendation:

“Develop specific design, construction, and alteration guidance for low-pressure process vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig in API 510 Pressure Vessel Inspection Code, API RP 572 Inspection Practices for Pressure Vessels, and/or other appropriate products. At a minimum, include guidance for:  (i) determining and documenting the low-pressure vessel’s design pressure (such as through a data sheet and a nameplate affixed to the vessel); (ii) determining when or if all or parts of the ASME Boiler and Pressure Vessel Code should be applied; (iii) acceptable alternative engineering methods, if applicable; and, (iv) alteration requirements, such as design assessments, inspections, and pressure testing.”

The text of the supporting ASME recommendation:

“Assist API in developing design, construction, and alteration guidance for low-pressure vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig. If any new design and construction guidance is specifically developed for pressure vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig, reference the design and construction guidance in the Section VIII, Division 1 of the ASME Boiler and Pressure Vessel Code (BPVC).”

Even with a reasonable degree of consensus on the need for standards changes, it takes some time to develop, write and reach consensus on these sorts of things. It does seem to me that two years is not an unreasonable amount of time to be working on such a standard.

If anyone has any information on if/how progress is being made within API or ASME, please let me know.

Review – 4 Advisories and 3 Updates Published – 12-16-25

Today CISA’s NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric, Hitachi Energy, Johnson Controls, and Güralp Systems. They also updated advisories for products from Fuji Electric, Johnson Controls, and Mitsubishi Electric.

Advisories

Mitsubishi Advisory - This advisory describes a cleartext storage of sensitive information vulnerability in the Mitsubishi GT Designer3 products.

Hitachi Energy Advisory - This advisory discusses the BlastRadius-Fail vulnerability.

NOTE: I briefly discussed this vulnerability on November 1^st, 2025.

Johnson Controls Advisory - This advisory describes four vulnerabilities in the Johnson Controls PowerG, IQPanel and IQHub products.

Güralp Advisory - This advisory describes an allocation of resources without limit or throttling vulnerability in the Güralp Fortimus, Minimus, and Certimus product series.

Updates

Fuji Update - This update provides additional information on the Fuji Monitouch V-SFT-6 advisory that was originally published on November 4^th, 2025.

Johnson Controls Update - This update provides additional information on the Johnson Controls iSTAR Ultra advisory that was originally published on August 12^th, 2025.

Mitsubishi Update - This update provides additional information on the Mitsubishi GENESIS advisory that was originally published on May 20^th, 2025, and most recently updated on August 28^th, 2025.

I briefly discussed this update on August 9^th, 2025.

For more information on these advisories, including a brief description of the CISA advisory format change, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-3-updates-published - subscription required.

Review - HR 3435 Introduced – Federal Cyber Workforce Training

Back in May Rep Fallon (R,TX) introduced HR 3435, the Federal Cyber Workforce Training Act of 2025. The bill would require the National Cyber Director to formulate a plan for the establishment of a federal cyber training institute. It does not authorize the actual establishment of the institute, that would require subsequent legislation. The bill specifically does not authorize new spending.

This bill is essentially the same as to HR 9520 that was introduced by Fallon in September 2024. No other action was taken on HR 9520 in the 118^th Congress.

Moving Forward

Fallon is a member of the House Oversight and Accountability Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. With new spending being prohibited, I see nothing in this bill that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support, perhaps enough that it could be considered under the suspension of the rules process.

Commentary

While the proposed institute is not a cybersecurity institute, all cyber work roles should include some level of cybersecurity responsibilities. I think it would be helpful to delineate a responsibility for the institute to establish a minimum level of cybersecurity training for all cyber personnel. To that end, I would like to suggest the insertion of a new §2(b)(2)(C):

“(C) establish a common skill level cybersecurity curriculum for all entry level positions and a more advanced cybersecurity training program for personnel transitioning to mid-career level positions;”

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3435-introduced-federal-cyber - subscription required.

Short Takes – 12-16-25 – Federal Register Edition

Information Collection: NASA Virtual Launch Guest Watch Party Registration. Federal Register NASA 30-day ICR reinstatement notice. Summary: “The Virtual Guest Program exists to leverage the excitement around launches and milestones to widely disseminate information about Earth and space phenomena through the sharing of information about research on launches, mission objectives, public engagement activities (coloring pages, social media filters) and the like. The program provides registration opportunities for individuals and watch parties so that NASA may provide them the specific information they are interested in receiving and to share a detailed slice of the NASA efforts in carrying out the other portions of the Space Act of 1958. By learning the information from the plans of Watch Party organizers, NASA can best provide appropriate resources and share information about its activities and results.” Comments due January 14^th, 2026.

Protecting the Nation's Communications Systems From Cybersecurity Threats. Federal Register FCC order on reconsideration. Summary: “In this document, the Federal Communications Commission (“Commission” or “FCC”) announces that it has reconsidered and rescinded a prior Declaratory Ruling and Notice of Proposed Rulemaking, neither of which had been published in the Federal Register. The Declaratory Ruling misconstrued the Communications Assistance for Law Enforcement Act (CALEA), and the Notice of Proposed Rulemaking was based in part on the Declaratory Ruling's flawed legal analysis and proposed ineffective cybersecurity requirements. This Order follows the FCC's engagement with providers to help strengthen their cybersecurity posture.”

EO 14365 - Ensuring a National Policy Framework for Artificial Intelligence. Federal Register.

EO 14366 - Protecting American Investors from Foreign-Owned and Politically-Motivated Proxy Advisors. Federal Register.

Short Takes – 12-15-25 – Space Geek Edition

Starfish Space and Impulse Space demonstrate autonomous spacecraft proximity operations. SpaceNews.com article. Pull quote: “What distinguished the demonstration from previous rendezvous and proximity operations, or RPO, tests was that the approaching Mira relied on only a single camera to close in on the other spacecraft. The camera fed images into a computer running Starfish’s CETACEAN and CEPHALOPOD software, which generated navigation data and maneuver commands for the LEO Express 2 vehicle.”

New Earth Mini-Moon Asteroid 2025 PN7 Discovered. Astronex.net article. Pull quote: “The asteroid 2025 PN7 belongs to the Arjuna class of near-Earth objects, known for their Earth-like orbits with low eccentricity and inclination. This classification means it maintains a stable relationship with Earth without being bound by our gravity like the Moon. Researchers have confirmed its status through detailed orbital calculations, showing it has been in this configuration for about 60 years and will continue for another roughly 60 years. This makes 2025 PN7 the newest addition to a small group of known quasi-satellites, providing valuable insights into orbital mechanics and the distribution of asteroids near Earth.”

MetaSeismic material mitigates vibration and shock in NASA Marshall testing. SpaceNews.com article. Pull quote: ““The technology is interesting because it offers a damping solution for vibrations that comes in a smaller form factor than other solutions that we may typically use,” Aaron Miller, NASA Marshall lead structural integration engineer, told SpaceNews. “It’s custom tunable for the specific vibration environment that the hardware, whether it be avionics, a battery or something else, may experience.””

Einstein was right: Time ticks faster on Mars, posing new challenges for future missions. LiveScience.com article. Pull quote: “The analysis showed that Martian clocks tick faster, when measured from Earth, than Earth-based ones by an average of 477 microseconds per Earth day. Strikingly, though, this value varies daily by 226 microseconds (about half the offset's value itself) over a Martian year. The variation stems from the egg-like shape of Mars’ orbit and changes in the gravitational tugs of its celestial neighbors as they approach and twirl away from Mars.”

Voyager 1 will reach one light-day from Earth in 2026. Here’s what that means. MSN.com article. Pull quote: ““If I send a command and say, ‘good morning, Voyager 1,’ at 8 a.m. on a Monday morning, I’m going to get Voyager 1’s response back to me on Wednesday morning at approximately 8 a.m.,” Dodd said.”

NASA Unveils a Space Station Mockup Designed for Commercial Spaceflight | NewsRadio 740 KTRH. UFOFeed.com article: pull quote: “NASA is working with Space Lab to create a first design to be used for future space stations. The plan is to kick off the commercial spaceflight program allowing private companies to open the program to customers who would like to explore space, with less government funding as private entities take over. “They’re selling research time to Nasa but they’re also hoping to go out and find business customers who want to do research in zero gravity.” He said.”

Overview Energy Emerges From Stealth. UFOFeed.com article. Pull quote: ““Our airborne milestone proved that the core transmission system works in motion—the same foundation that will operate in orbit,” Marc Berte, Overview’s founder and CEO, said in a statement. “Space solar energy will only matter when it powers real demand on Earth, and we’re designing for that scale from Day 1.””

How one controversial startup hopes to cool the planet. TechnologyReview.com article. Pull quote: “But numerous researchers focused on solar geoengineering are deeply skeptical that Stardust will line up the government customers it would need to carry out a global deployment as early as 2035, the plan described in its earlier investor materials—and aghast at the suggestion that it ever expected to move that fast. They’re also highly critical of the idea that a company would take on the high-stakes task of setting the global temperature, rather than leaving it to publicly funded research programs.”

Backlog List

• China’s Shijian spacecraft separate after pioneering geosynchronous orbit refueling tests,

• Potentially hazardous' asteroid 2024 YR4 was Earth's first real-life planetary defense test,

• It’s time to give NASA an astrophysics nervous system,

• The U.S. Senate vs. the Athena Plan — NASA on trial,

• 30 years of SOHO staring at the sun | Space photo of the day for Dec. 2, 2025, and

• A dying satellite could use its final moments to photograph the infamous asteroid Apophis in 2029.

Review – Committee Hearings – Week of 12-15-25

This week, with both the House and Senate preparing to close out this year’s session, there is a relatively light hearing schedule. In the House we have one markup hearing of potential interest, an advanced cybersecurity hearing, and a biosecurity hearing. The Senate will hold an FCC oversight hearing that may include items of interest.

Markup Hearings

On Tuesday the Subcommittee on Communications and Technology of the House Energy and Commerce Committee will hold a business meeting where seven bills will be considered.

Cybersecurity

On Wednesday two subcommittees of the House Homeland Security Committee will hold a joint hearing on “The Quantum, AI, and Cloud Landscape: Examining Opportunities, Vulnerabilities, and the Future of Cybersecurity”.

Biosecurity

On Wednesday the Subcommittee on Oversight and Investigations of the Energy and Commerce Committee will hold a hearing on “Examining Biosecurity at the Intersection of AI and Biology”.

FCC Oversight

On Wednesday the Senate Commerce, Science, and Transportation Committee will hold an oversight hearing on the Federal Communications Commission (FCC).

 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-12-15 - subscription required.

Review – Public ICS Disclosures – Week of 12-6-25 – Part 2

For Part 2 we have nine bulk disclosures from Siemens. There are five additional vendor disclosures from Dell, Pheonix Contact, Schneider (2), and WAGO. There are 14 bulk updates from HP (6) and Siemens (8). We also have three other vendor updates from Hitachi Energy, Moxa, and Schneider. There is a researcher report on vulnerabilities in products from the Biosig Project (6). Finally, we have four exploits for products from Broadcom, Palo Alto Networks, and React Server Components (2).

Bulk Disclosures – Siemens

• Denial of service Vulnerability in Interniche IP-Stack based Industrial Devices,

• Multiple Vulnerabilities in RUGGEDCOM ROX Before V2.17,

• Multiple Vulnerabilities in SINEC Security Monitor before V4.10.0,

• Denial of Service Vulnerability in Ruggedcom ROS devices before V5.10.1,

• File Parsing Vulnerability in Simcenter Femap Before V2512,

• Multiple Vulnerabilities in SICAM T Before V3.0,

• Multiple Vulnerabilities in SIMATIC CN 4100 Before V4.0.1,

• Multiple Vulnerabilities in COMOS, and

• Multiple Vulnerabilities in Ruggedcom Rox Before V2.17.0.

Advisories

Dell Advisory - Dell published an advisory that discusses 36 vulnerabilities in their ThinOS product.

Pheonix Contact Advisory - Pheonix Contact published an advisory that describes 14 vulnerabilities in their SWITCH 2xxx Firmware.

Schneider Advisory #1 - Schneider published an advisory that discusses an exposure of sensitive information to unauthorized actor vulnerability in multiple Schneider products.

Schneider Advisory #2 - Schneider published an advisory that discusses a deserialization of untrusted data vulnerability in their EcoStruxure Foxboro DCS Advisor.

WAGO Advisory - CERT-VDE published an advisory that describes two stack-based buffer overflow vulnerabilities in the WAGO Industrial-Managed Switches.

Bulk Updates – HP

• NVIDIA GPU Display Driver October 2025 Security Update,

• NVIDIA GPU Display Driver July 2025 Security Update,

• Certain HP LaserJet Pro Printers – Potential Information Disclosure,

• AMD CPU Microcode Security Update,

• HP System Event Utility and Omen Gaming Hub – Potential Arbitrary Code Execution, and

• Intel System Security Report and System Resources Defense.

Bulk Updates – Siemens

• Deserialization Vulnerability in Siemens Engineering Platforms before V20,

• RADIUS Protocol Susceptible to Forgery Attacks (CVE-2024-3596) - Impact to SCALANCE, RUGGEDCOM and Related Products,

• Deserialization Vulnerability in Siemens Engineering Platforms,

• Buffer Overflow Vulnerability in Third-Party Component in SICAM and SITIPE Products,

• Deserialization Vulnerability in Siemens Engineering Platforms,

• Buffer Overflow Vulnerabilities in OpenSSL 3.0 Affecting Siemens Products,

• Local Arbitrary Code Execution Vulnerability in Siemens Engineering Platforms before V20, and

• DLL Hijacking Vulnerability in Siemens Web Installer used by the Online Software Delivery.

Updates

Hitachi Energy Update - Hitachi Energy published an update for their Relion 670/650 advisory that was originally published on June 24^th, 2025, and most recently updated on August 26^th, 2025.

Moxa Update - Moxa published an update for their ICMP Timestamp Request advisory that was originally published on October 21^st, 2025, and most recently updated on October 27^th, 2025.

Schneider Update - Schneider published an update for their Altivar Process Drives advisory that was originally published on September 9^th, 2025, and most recently updated on October 14^th, 2025.

Researcher Reports

Biosig Project Report - Cisco Talos published a report that describes six stack-based buffer overflow vulnerabilities in the Biosig Project libbiosig library.

Exploits

Broadcom Exploit - Indoushka published an exploit for an improper restriction of operations within the bounds of a memory buffer vulnerability in the Broadcom Wi-Fi Firmware.

Palo Alto Networks Exploit - Indoushka published an exploit for a deep-packet inspection vulnerability in the PanOS.

RSC Exploit #1 - Indoushka published a scanner for, and an exploit of, the deserialization of untrusted data vulnerability in React Server Components.

RSC Exploit #2 - Maksim Rogov, et al, published a Metasploit module for the the deserialization of untrusted data vulnerability in React Server Components.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-0c5 - subscription required.

CISA Adds Sierra Wireless Vulnerability to KEV – 12-12-25

Yesterday CISA announced that it had added an unrestricted upload of file with dangerous type vulnerability in the Sierra Wireless AirLink ALEOS product to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerability was reported by Cisco Talos on April 15^th, 2019; the report included proof-of-concept code. Sierra Wireless published their advisory on the vulnerability (along with 12 others) on April 30^th, 2019. CISA published their advisory on the vulnerability (along with six others) on August 20^th, 2019, and most recently updated it on April 23, 2020.

CISA has required that Federal agencies that use the affected products to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” Those required actions are to be completed January 2^nd, 2026.

Review – CSB Updates Accidental Release Reporting Data – 12-1-25

On Thursday the CSB updated their published list of reported chemical release incidents. They added 58 new incidents that occurred since the previous version was published in July. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604) through November 30^th, 2025.

The table below shows the top five states based upon the number of reported incidents since the July update was published.

 

For more information on the data, including a listing of chemical incidents reported in the news that should have been reported to CSB, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-313 - subscription required.

Chemical Transportation Incidents – Week of 11-8-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

NOTE: PHMSA’s database is not currently allowing online downloads. I was able to request a copy of the week’s data directly from PHMSA. That is the reason for this late posting.

Incidents Summary

• Number of incidents – 486 (453 highway, 31 air, 2 rail, 0 water)

• Serious incidents – 4 (3 Bulk release, 0 evacuation, 1 injury, 0 death, 0 major artery closed, 2 fire/explosion, 30 no release)

• Largest container involved – 33,900-gal DOT 117J100W Railcar {Petroleum Gases, Liquefied or Liquefied Petroleum Gas} Vapor valve cracked open, plug not tool tight.

• Largest amount spilled – 250-gal Plastic IBC {Caustic Alkali Liquids, N.O.S.} Forklift strike.

• Total amount reported spilled in all incidents – 2174.4-gal

NOTE: Links to Form 5800.1 for the described incidents are not currently available online.

Most Interesting Chemical: Hydrofluoric Acid And Sulfuric Acid Mixtures: A clear colorless liquid with a pungent odor. Corrosive to metals and tissue. Exposure to the fumes or brief contact can cause severe burns as mixture penetrates to cause deep-seated ulceration that is sometimes complicated by gangrene. (Source: CameoChemicals.NOAA.gov).

 

Review – Public ICS Disclosures – Week of 12-6-25 – Part 1

This week we have bulk disclosures from FortiGuard (8), There are also 12 additional vendor disclosures from Cisco, Dell, Dassault Systems, Elecom, Endress+Hauser, Hitachi Energy (2), HP, HPE, Moxa, and NI (2).

Bulk Disclosures – FortiGuard

• Insertion of sensitive information into REST API logs,

• Insufficient Session Expiration in SSLVPN,

• Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypass,

• Multiple authenticated OS Command Injections via API,

• OS command injection in GUI backup options,

• OS command injection in multiple endpoints,

• Private key readable by admin, and

• Reflected XSS in HA cluster.

Advisories

Cisco Advisory - Cisco published an advisory that discusses the React Server Components deserialization of untrusted data vulnerability that is listed in CISA’s Known Exploited Vulnerabilities catalog.

Dell Advisory - Dell published an advisory that discusses 30 vulnerabilities. All but three of these are third-party vulnerabilities.

Dassault Advisory - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Elecom Advisory - JP CERT published an advisory that describes an unquoted search path vulnerability in the Elecom Clone for Windows.

Endress+Hauser Advisory - CERT-VDE published an advisory that discusses an out-of-bounds write vulnerability in multiple Endress+Hauser products.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses a deserialization of untrusted data vulnerability in their Asset Suite product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses the React Server Component deserialization of untrusted data vulnerability that is listed in CISA’s KEV catalog.

HP Advisory - HP published an advisory that describes a path traversal vulnerability in their  Event Utility and Omen Gaming Hub products.

HPE Advisory - HPE published an advisory that discusses ten vulnerabilities in their ProLiant DL/ML/XD Alletra and Synergy Servers.

Moxa Advisory - Moxa published an advisory that describes two vulnerabilities in their MXsecurity Series products.

NI Advisory #1 - NI published an advisory that describes nine vulnerabilities in their LabVIEW product.

NI Advisory #2 - NI published an advisory that describes a relative path traversal vulnerability in their System Web Server.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-c5d - subscription required.