Short Takes – 1-31-26 – Federal Register Edition

Hazardous Materials: Request for Feedback on Hazmat Transportation Risks: Heavy-Duty Electric Vehicles Versus Internal Combustion Engine Motor Carriers. Federal Register PHMSA request for information. Summary: “The Pipeline and Hazardous Materials Safety Administration (PHMSA) seeks public input on the safety risks, operational challenges, and regulatory considerations associated with transporting hazardous materials (hazmat) using heavy-duty electric vehicles (EVs) compared to internal combustion engine (ICE) motor carriers (i.e., gas or diesel). PHMSA aims to understand what impact the transition from ICE to EV motor carriers may have on hazmat packaging integrity, transportation safety, emergency response protocols, regulatory compliance, and overall vehicle risk. PHMSA may use the information gathered to develop a statement of work for further research into the safety of transporting hazardous materials in EVs.”

Categorical Exclusion for Advanced Nuclear Reactors. Federal Register DOE categorical exception notice. Summary: “The U.S. Department of Energy (DOE or the Department) is establishing a categorical exclusion for authorization, siting, construction, operation, reauthorization, and decommissioning of advanced nuclear reactors for inclusion in its National Environmental Policy Act (NEPA) implementing procedures. DOE is including the categorical exclusion in the component of its NEPA implementing procedures that it maintains outside of the Code of Federal Regulations. The new categorical exclusion is based on the experience of DOE and other Federal agencies, current technologies, regulatory requirements, and accepted industry practice.”

Best Practices Webinar Series Presented by the National Center of Excellence for Liquefied Natural Gas Safety. Federal Register PHMSA webinar notice. Summary: “The National Center of Excellence for Liquefied Natural Gas Safety (National LNG Center) will host a series of informational webinars on best practices for LNG safety, titled “Prioritizing Safety: Best Practices in LNG.” The webinars are free, will be hosted virtually, and will require advance registration. The series will be held monthly using Zoom. Each webinar will be one hour in length and will be recorded. The National LNG Center will provide electronic access to all materials, including recordings, transcripts, and presentations, after conclusion of each webinar. The webinars will cover a different best practice each session.”

Clearance of Renewed Approval of Information Collection: Small Unmanned Aircraft Registration System. Federal Register FAA 30-day ICR renewal notice. Summary: “In accordance with the Paperwork Reduction Act of 1995, FAA invites public comments about our intention to request the Office of Management and Budget (OMB) approval to renew an information collection. The Federal Register Notice with a 60-day comment period soliciting comments on the following collection of information was published on September 23, 2025. The collection involves inputting minimal information into a database to register small, unmanned aircraft. Aircraft registration is necessary to ensure personal accountability among all users of the National Airspace System (NAS). Aircraft registration also allows the FAA and law enforcement agencies to address non-compliance by providing the means for identifying an aircraft's owner and operator. This collection also permits individuals to de-register or update their record in the registration database.”

EO 14377 - Addressing State and Local Failures to Rebuild Los Angeles After Wildfire Disasters. Federal Register.

EO 14378 - Continuance of the Federal Emergency Management Agency Review Council. Federal Register.

PHMSA Publishes 60-day Renewal Notice for 7 Hazmat ICRs

Yesterday DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (91 FR 4172-4178) for seven hazardous materials ICRs. According to the notice: “PHMSA has revised burden estimates, where appropriate, to reflect current reporting levels or adjustments based on changes in proposed or final rules published since the information collections were last approved.”

The seven ICRs include:

Inspection and Testing of Portable Tanks and Intermediate Bulk Containers (2137-0018),

Hazardous Materials Incident Reports (2137-0039),

Rail Carrier and Tank Car Tanks Requirements, Rail Tank Car Tanks—Transportation of Hazardous Materials by Rail (2137-0559),

Testing Requirements for Non-Bulk Packaging (2137-0572),

Hazardous Materials Public Sector Training and Planning Grants (2137-0586),

Cargo Tank Motor Vehicles in Liquefied Compressed Gas Service (2137-0595), and

Inspection and Testing of Meter Provers (2137-0620).

NOTE: The first link for each ICR is for the description of the collection in yesterday’s notice. The last link is to the currently approved ICR record.

The table below shows the burden estimate for both this renewal notice and the currently approved ICR.

 

There is no explanation for the large change in the burden estimates for 2137-0559 in yesterday’s notice. Comparing the detailed burden information in the notice with the Supporting Document that PHMSA provided to OIRA for the current ICR, there are six information collections missing from the notice:

• Hazardous Materials Train Consist Additional Information (Class I, II, III Railroads) - Section 174.26 (131,042 responses and 10,876 hrs),

• Notification of Hazardous Materials Accidents or Incidents - Class I, II, II Railroad - Section 174.26 (491 responses and 122.75 hrs),

• Creation of Test Records for Emergency System Notification Test (Class I, II, III) – Section (658 responses and 1438 hrs),

• Retention of Test Records for Emergency System Notification Test – Section 174.28(b) (758 responses and 63 hrs),

• Creation of Class III alternative emergency response information plan – Section (388 responses and 1,552 hrs), and

• Retention of Class III alternative emergency response information plan (Retention Only) – Section (388 responses and 32 hrs).

These may have been moved to new ICR. We will be able to tell for sure when PHMSA submits the renewal request to OIRA after the 30-day ICR notice is published.

PHMSA is soliciting public comments on this ICR renewal. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #PHMSA-2026-0199). Comments should be submitted by March 31^st, 2026.

Review – Bills Introduced – 1-30-26

Yesterday, with just the Senate in Washington and the House meeting in pro forma session, there were 43 bills introduced. Two of the bills may receive additional coverage in this blog:

HR 7285 To amend the Homeland Security Act of 2002 to authorize the use of certain financial assistance for vehicle security enhancement upgrades, and for other purposes. Gonzales, Tony [Rep.-R-TX-23] 

HR 7294 To study the impacts of artificial intelligence technology with respect to the security of telecommunications networks, and for other purposes. Menendez, Robert [Rep.-D-NJ-8] 

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

HR 7273 NASA Reauthorization Act of 2026.  Babin, Brian [Rep.-R-TX-36]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-30-26 - subscription required.

Review – Public ICS Disclosures – Week of 1-24-26 – Part 1

This is a moderately busy disclosure week. We have bulk vendor disclosures from Broadcom (48). There are also 14 other vendor disclosures from B&R (2), Beckhoff (2), Dell, Dassault Systems (2), Hanwha Vision, Hitachi, Hitachi Energy (3), HPE, and Siemens.

Bulk Vendor Disclosures – Broadcom

• Nessus detected vulnerability in the Brocade OVA base image (CVE-2025-21991),

• The DisableForwarding directive does not fully adhere to the intended functionality as documented (CVE-2025-32728),

• Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service,

• Curl vulnerabilities detected in SANnav images (CVE-2025-4947, CVE-2025-5025) ,

• DoS due to improper input validation vulnerability in Apache Tomcat - CVE-2024-24549,

• Spring Framework DoS (CVE-2024-38808, CVE-2024-38809 and CVE-2024-22262),

• Oracle Java SE Updates (July 2025),

• Multiple Vulnerabilities in Node.js (Wednesday, May 14, 2025 Security Releases). Nessus Plugin ID 236766,

• Low-level invalid GF(2^m) parameters lead to OOB memory access,

• Multiple Vulnerabilities in Apache Kafka,

• Postgres vulnerabilities (CVE-2025-8713, CVE-2025-8714, CVE-2025-8715),

• libcurl's ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 (CVE-2024-7264) ,

• PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation,

• Vulnerability in OpenSSH when the VerifyHostKeyDNS option is enabled (CVE-2025-26465),

• Rocky Linux Updates applied to SANnav (CVE-2024-3661, CVE-2024-11187, CVE-2024-12797) ,

• A malicious rsh server can overwrite arbitrary files in a directory on the rcp client machine,

• xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak,

• Multiple Linux Security Updates applied to Brocade Fabric OS 10.0,

• The x509 application adds trusted use instead of rejected use,

• libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time,

• MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64,

• In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c,

• Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses,

• GNU tar mishandled extension attributes in a PAX archive,

• This flaw allows a malicious HTTP server to set "super cookies" in curl,

• Glib GVariant deserialization fails to validate input,

• A heap out-of-bounds read flaw was found in builtin.c in the gawk package,

• Scan discovered multiple CVEs against glibc,

• Null pointer dereference found in openldap,

• A denial of service vulnerability exists in curl,

• An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0,

use-after-free and memory corruption,

• A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation,

• The allocate_structures function insufficiently checks bounds before arithmetic multiplication,

• Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem,

• Brocade SANnav DataBase password in plain text is logged in failover logs (CVE-2025-12680),

• Plaintext Switch admin login password is seen in Brocade SANnav support save (CVE-2025-12772) ,

• Plain password is logged in the audit logs while executing update-reports-purge-settings.sh script with Brocade SANnav before 2.4.0a (CVE-2025-12773),

• SQL queries with sensitive information printed in logs with Brocade SANnav before 3.0 (CVE-2025-12774),

• Information disclosure in Brocade Fabric OS before 9.2.1c2, 9.2.2 through 9.2.2a and 10.0.0 (CVE-2026-0383),

• Privilege escalation in Brocade Fabric OS before 9.2.1c3, and 9.2.2 though 9.2.2b (CVE-2025-9711),

• Directory transversal vulnerability in Brocade Fabric OS before 9.2.1 using grep command (CVE-2025-58380),

• Plain text pbe key visible in audit log during Brocade SANnav migration from 2.4.0a to 3.0.0 (CVE-2025-12679),

• Directory transversal vulnerability in Brocade Fabric OS before 9.2.1c2 and 9.2.2 through 9.2.2a using various shell commands (CVE-2025-58381),

• Password Exposure in Brocade Fabric OS before 9.2.1 (CVE-2025-58379),

• Privilege escalation in Brocade Fabric before 9.2.1c2 and 9.2.2 through 9.2.2a (CVE-2025-58382),

• Privilege escalation via bind command in Brocade Fabric OS (CVE-2025-58383),

• Undertow-core: undertow http server fails to reject malformed host headers leading to potential cache poisoning and ssrf (CVE-2025-12543).

Advisories

B&R Advisory #1 - B&R published an advisory that discusses the PixieFail vulnerabilities.

B&R Advisory #2 - B&R published an advisory that describes an insertion of sensitive information into log file vulnerability.

Beckhoff Advisory #1 - CERT-VDE published an advisory that describes three vulnerabilities in the Beckhoff Device Manager.

Beckhoff Advisory #2 - CERT-VDE published an advisory that describes a cross-site scripting vulnerability in the Beckhoff TwinCAT 3 HMI Server.

Dell Advisory - Dell published an advisory that discusses an improper handling of length parameter inconsistency vulnerability (with publicly available exploits) in their Wyse Management Suite.

Dassault Advisory #1 - Dassault published an advisory that describes a heap-based buffer overflow vulnerability in SOLIDWORKS eDrawings.

Dassault Advisory #2 - Dassault published an advisory that describes an out-of-bounds write vulnerability in their SOLIDWORKS eDrawings.

Hanwha Advisory - Hanwha published an advisory that describes five vulnerabilities in multiple Wisenet cameras from Hanwha.

Hitachi Advisory - Hitachi published an advisory that discusses to allocation of  resources without limit or throttling vulnerabilities in their Cosminexus Component Container.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses the BlastRadius-Fail vulnerability in their FOX61x products.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses the BlastRadius-Fail vulnerability in their XMC20 products.

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory that describes the use of default credentials vulnerability in their SuprOS products.

HPE Advisory - HPE published an advisory that describes three vulnerabilities in their Aruba Fabric Composer product.

Siemens Advisory - Siemens published an advisory that discusses 51 vulnerabilities in their SINEC OS based products.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-2c6 - subscription required.

Review – Bills Introduced – 1-29-26

Yesterday, with just the Senate in Washington, there were 36 bills introduced. One of those bills may receive additional coverage in this blog:

S 3741 A bill to require the Secretary of Commerce to promulgate regulations to improve nucleic acid synthesis security, and for other purposes. Cotton, Tom [Sen.-R-AR] 

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-29-26 - subscription required.

HR 7148 Fails Cloture Vote – Last FY 2026 Minibus

Yesterday the Senate continued their efforts to pass HR 7148, the Consolidated Appropriations Act, 2026. The Senate voted on the first cloture vote to “to proceed to consideration of H.R. 7148”, the first of potentially three such votes before the bill would actually be voted upon. That vote, as many people expected, failed by a vote of 45 to 55. All of the Democrats voted Nay as did eight Republican; Thune changed his vote to Nay hen the original vote failed as a procedural move.

The Democrats, including Sen Fetterman (D,OH) who had earlier vowed to vote for the bill, expressing their concerns about recent immigration related actions in Minnesota. The seven Republican opposed the bill on entirely separate, fiscally related grounds. It is not clear that they would have voted against the bill if ten Democrats had voted for the bill, allowing for the 60-votes necessary for passage of the bill.

It appears that a deal has been worked out to approve five of the six spending bills included in HR 7148 and to provide a to eek continuing resolution for the DHS portion of the bill. That would allow the Senate and House to iron out ICE/CBP reform language to be included in the final DHS spending bill.

One last roadblock was thrown up last night. Sen Graham (R,SC) vowed to block unanimous consent to bypass the remaining cloture votes (essentially shutting down consideration in the Senate) over a provision the House included in the bill to disallow Senators from suing DOJ over their wiretaps on Senator’s phones. A deal is still being worked out to overcome that problem. A reconsideration vote for that cloture motion is scheduled for 11:00 am EDT.

If the Senate approves an amended version of HR 7148 today, the government will still technically shut down at midnight since the House is not expected to take up that version of the bill until Monday. While the President has signaled his support for the change, it is not yet clear that the revised bill can pass in the House.

Review – HR 6631 Introduced – DOD Cybersecurity Education

Earlier this month Rep Elfreth (D,MD) introduced HR 6631, the Establishing Cyber Security Educational Programs at Academic Institutions Act. The bill would require DOD to collaborate with academic institutions to develop cybersecurity educational programs at such institutions. Collaboration with other federal agencies would ensure that the program would not compete or conflict with other such federal programs. No new funding is authorized.

Moving Forward

Both Elfreth and her sole cosponsor, Rep Luttrell (R,TX) are members of the House Armed Services Committee to hic this bill as assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any organized opposition, and I would suspect that there should be bipartisan support for the legislation. We will have to wait and see if there is sufficient bipartisan support for the bill to be considered by the full House under the suspension of the rules process.

Commentary

While subsection 2(a) requires DOD to “develop cybersecurity [emphasis added] educational programs”, paragraph 2(c)(1) expands that scope to include “cyber defense, cyber operations, and cyber research”. This should be expected of a DOD sponsored program and would differentiate the overall program from those sponsored by other federal agencies. While graduates of these DOD programs could be expected to seek out DOT related jobs, or military commissions, the skills learned could still be applicable to civilian cybersecurity positions.

 

For more information on the provisions of this bill, including additional commentary on OT coverage, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6631-introduced-dod-cybersecurity - subscription required.

OMB Approves FCC Novel Space Activities Spectrum NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the Federal Communications Commission (FCC) on “Spectrum Abundance for Novel Space Activities”. The NPRM as sent to OIRA on October 15^th, 2026. This rulemaking was not included in the Spring 2025 Unified Agenda. 

In my earlier post on this NPRM I noted that: “This rulemaking was not published in the Spring 2025 Unified Agenda, but it looks like it may be related an earlier rulemaking from the FCC on “Satellite Spectrum Abundance”.” That relationship was clarified by FCC Chair Brendan Carr in a speech in El Segundo, CA (pg 5):

“Earlier this year, we started a proceeding on opening up more spectrum for satellite broadband. Soon, we will look at opening more spectrum resources for novel space activities – everything from lunar missions to orbital laboratories.”

In any case, we will know for sure what this rulemaking is all about when it is published in the Federal Register in the next week or so. I will probably not cover this in any detail but will at least announce it in the appropriate ‘Short Takes’ post.

Review – 3 Advisories and 3 Updates Published – 1-29-26

Today CISA’s NCCIC-ICS published three control system security advisories for products from Rockwell Automation (2) and KiloView. They also updated advisories for products from Mitsubishi Electric (2) and BrightSign.

Advisories

Rockwell Advisory #1 - This advisory describes a missing release of memory after effective lifetime vulnerability in the Rockwell ControlLogix Redundancy Enhanced Module.

NOTE: I briefly discussed this vulnerability on January 25^th, 2026.

Rockwell Advisory #2 - This advisory describes nine uncontrolled resource consumption vulnerabilities in the Rockell ArmorStart LT.

NOTE: I briefly discussed this vulnerability on January 25^th, 2026.

KiloView Advisory - This advisory describes a missing authentication for critical function vulnerability in the KiloView Encoder series products.

Updates

Mitsubishi Update #1 - This update provides additional information on the CNC Series advisory that was originally published on July 24^th, 2025, and most recently updated on December 2^nd, 2025.

Mitsubishi Update #2 - This update provides additional information on the Iconics Digital Solutions advisory that as originally published on May 20^th, 2025, and most recently updated on January 8^th, 2026.

I briefly discussed the added information (Mitsubishi Update #1 note) on January 8^th, 2025.

BrightSign Update - This update provides additional information on the Players advisory that as originally published on May 6^th, 2026.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-3-updates-published-469 - subscription required.

Review – PHMSA Publishes Space Support Hazmat ANPRM

Today DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published an advanced notice of proposed rulemaking (ANPRM) in the Federal Register (91 FR 3860-3862) on “Hazardous Materials: Modernizing Regulations To Facilitate Transportation of Hazardous Materials Integral to Spacecraft Components and Payloads”. PHMSA is soliciting feedback on streamlining and modernizing the Agency's regulations as they relate to the transportation of hazardous materials integral to spacecraft payloads or components. This rulemaking supports the intent of EO 14335, Enabling Competition in the Commercial Space Industry, even though there are no specific mentions of PHMSA or Hazmat regulations in that EO.

Public Comments

PHMSA is soliciting public comments. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #PHMSA-2024-0065). Comments should be submitted by April 29^th, 2026.

 

For more information on this ANPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-space-support-hazmat - subscription required.

Review – Bills Introduced – 1-27-26

Yesterday, with just the Senate in Washington and the House meeting in pro forma session, there were 64 bills introduced. Three of those bills will receive additional coverage here:

HR 7257 To amend the Energy Policy and Conservation Act to require States to include supporting the physical security, cybersecurity, and resilience of local distribution systems in State energy security plans. Latta, Robert E. [Rep.-R-OH-5]

HR 7266 To amend the Infrastructure Investment and Jobs Act to reauthorize the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program, and for other purposes. Miller-Meeks, Mariannette [Rep.-R-IA-1]

HR 7272 To require the Secretary of Energy to carry out a program relating to physical security and cybersecurity for pipelines and liquefied natural gas facilities. Weber, Randy K. Sr. [Rep.-R-TX-14] 

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as ell as a mention in passing of a bill to provide produce prescriptions to veterans, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-27-26 - subscription required.

Short Takes – 1-28-26 – Federal Register Edition

 Emergencies and the National Environmental Policy Act Guidance. Federal Register CEQ notice of availability. Summary: “On January 21, 2026, the Council on Environmental Quality (CEQ) issued guidance in a memorandum to the heads of Federal departments and agencies (agencies) to assist agencies with their compliance with the National Environmental Policy Act (NEPA) during emergencies.”

Agency Information Collection Activities; Submission for OMB Review; Comment Request; NTIA Space Launch Frequency Coordination Portal. Federal Register NTIA 30-day ICR renewal notice. Summary: “Needs and Uses: The information is submitted to a web-based platform and is used by NTIA to ensure that spectrum requested for Space launches is available. The data is used for analysis in determination of non-interference.” Comments should be due February 27^th, 2026.

Pipeline Safety: Advisory Bulletin on the Integrity Risks of Type A Repair Sleeves. Federal Register PHMSA safety bulletin. Summary: “PHMSA is issuing this advisory bulletin to highlight the integrity risks associated with using Type A sleeves to repair hazardous liquid pipelines. Type A sleeve failures have resulted in significant environmental damage and costs to the industry. Incident data suggests these failures were due to improper installation, moisture intrusion, and the selection of ineffective assessment methods. This bulletin provides specific technical details for managing the integrity of Type A sleeves.”

Personal Identity Validation for Routine and Intermittent Access to NASA Facilities, Sites, and Information Systems. Federal Register NASA 30-day ICR renewal notice. Summary: “In compliance with HSPD-12 and the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 201: Personal Identity Verification of Federal Employees and Contractors, and OMB Policy memorandum M-05-24 Implementation of Homeland Security Presidential Directive 12, NASA must collect information from members of the public to: (1) validate identity and (2) issue secure and reliable federal credentials to enable access to NASA facilities/sites and NASA information systems. Information collected is consistent with background investigation data to include but not limited to name, date of birth, citizenship, social security number (SSN), address, employment history, biometric identifiers (e.g. fingerprints), signature, digital photograph. NASA collects information from U.S. Citizens and U.S. Persons requiring access 30 or more days in a calendar year. NASA also collects information from foreign nationals regardless of their affiliation time.” Comments due February 27^th, 2026.

Normalizing Unmanned Aircraft Systems Beyond Visual Line of Sight Operations; Reopening of Comment Period. Federal Register FAA comment extension. Summary: “This action reopens the comment period for the notice of proposed rulemaking titled “Normalizing Unmanned Aircraft Systems Beyond Visual Line of Sight Operations” that was published in the Federal Register on August 7, 2025. FAA seeks additional comments on the electronic conspicuity and right-of-way topics identified in this notice.” Comments due: February 11^th, 2026.

CISA Adds FortiGuard Vulnerability to KEV Catalog – 1-27-28

Today, CISA announced that it had added an authentication bypass using an alternate path or channel vulnerability in multiple FortiGuard products. FortiGuard reported the vulnerability today, after internal reporting on efforts to contain exploits of the vulnerability in their FortiCloud product starting on January 22^nd, 2026.

CISA has told federal agencies operating the affected FortiGuard products to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. A deadline of January 30^th, 2026 has been set.

Review – 4 Advisories Published – 1-27-25

Today CISA’s NCCIC-ICS published four control system security advisories for products from Johnson Controls, Schneider Electric, Festo, and iba Systems.

Advisories

Johnson Controls Advisory - This advisory describes a command injection vulnerability in multiple Johnson Controls products.

Schneider Advisory - This advisory discusses five vulnerabilities in Schneider Zigbee products.

NOTE: I briefly described these vulnerabilities on January 17^th,2026.

Festo Advisory - This advisory discusses 140 vulnerabilities in the Festo Didactic SE MES PC. These are third-party vulnerabilities.

I briefly discussed these vulnerabilities on February 26^th, 2024.

Iba Advisory - This advisory describes an incorrect permissions assignment for critical resource vulnerability in the iba ibaPDA.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-1-27-25 - subscription required.

FCC Withdraws Space Resources Rulemaking

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that the FCC had withdrawn their advanced notice of proposed rulemaking (ANPRM) on “Exploring Efficient Use of Space Resources”. The rulemaking was submitted to OIRA on September 19^th, 2025. The rulemaking as not listed in the Spring 2025 Unified Agenda, and I can find nothing on the FCC’s Space Bureau’s web site on this rulemaking.

Review - HR 7128 Introduced – TRIA Reauthorization

Earlier this month Rep Flood (R,NE) introduced HR 7128, the TRIA Program Reauthorization Act of 2026. The bill would reauthorize the Terrorism Risk Insurance Act (TRIA) program through 2034 and make changes to program’s certification process. No new funding is authorized.

Markup Hearing

On January 22^nd, 2026 the House Financial Services Committee held a business meeting that considered HR 7128, along with eight other bills. Substitute language as offered by Flood. Four amendments were offered. All four were rejected; two by near party-line votes of 18 to 34, one by a vote of 2 to 49, and one by voice vote. The amended version of the bill as adopted by a vote of 51 to 2.

Moving Forward

The bill is now ready for consideration by the full House. With the strong bipartisan support seen in Committee, the bill is likely to be considered under the suspension of the rules process. I would expect to see similar bipartisan support in that vote.

For more information on the provisions of this bill, including a commentary on cybersecurity insurance coverage, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7128-introduced-tria-reauthorization - subscription required.

Review – Public ICS Disclosures – Week of 1-17-26

For Part 2 we have 2 additional vendor disclosures from Rockwell. There are also five vendor updates from ABB, FortiGuard, HPE, Siemens, and VMware. We have bulk researcher reports for products from MedDream (22). Finally, we have two exploit for products from Splunk.

Advisories

Rockwell Advisory #1 - Rockwell published an advisory that describes nine uncontrolled resource consumption vulnerabilities in their ArmorStart LT product.

Rockwell Advisory #2 - Rockwell published an advisory that describes a missing release of memory after effective lifetime vulnerability in their 1756-RM2(XT).

Updates

ABB Update - ABB published an update for their ABB 800xA Base advisory that was originally published on June 5^th, 2024, and most recently updated on February 7^th, 2025.

FortiGuard Update - FortiGuard published an update for their cw_acd daemon advisory that was originally published on January 13^th, 2026.

HPE Update - HPE published an update for their Aruba Networking Access Points advisory that was originally published on August 3^rd, 2024, and most recently updated on March 14^th, 2025.

Siemens Update - Siemens published an update for their RUGGEDCOM APE1808 Devices advisory that was originally published on May 13^th, 2025, and most recently updated on January 13^th, 2026.

Bulk Researcher Reports – MedDream (22)

• MedDream PACS Premium modifyUser reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium emailfailedjob reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium modifyTranscript reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium downloadZip reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium downloadZip reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium autoPurge reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium modifyAnonymize reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium modifyEmail reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium modifyCoercion reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium modifyHL7Route reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium existingUser reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium ldapUser reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium notifynewstudy reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium encapsulatedDoc arbitrary file read vulnerability,

• MedDream PACS Premium modifyRoute reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium sendOruReport reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium encapsulatedDoc reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium modifyHL7App reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium config.php multiple reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium fetchPriorStudies reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium modifyAutopurgeFilter reflected cross-site scripting (XSS) vulnerability,

• MedDream PACS Premium modifyAeTitle reflected cross-site scripting (XSS) vulnerability

NOTE: These CISCO Talos reports include proof-of-concept code.

Exploits

Splunk Exploit #1 - Alex Hordijk published a Metasploit module for a function call with an incorrectly specified argument value vulnerability in the Splunk Enterprise product.

Splunk Exploit #2 - Psytester published a Metasploit module for code injection vulnerability in the Splunk Enterprise product.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-aab - subscription required.

Short Takes – 1-24-26

Former astronaut joins Vast as Haven-1 moves into integration. SpaceNews.com article. Pull quote: “Vast is leveraging the experience of former astronauts and agency officials as it works on commercial space stations, beginning with Haven-1. The single-module station will launch on a Falcon 9 rocket and be visited by up to four Crew Dragon spacecraft on short-duration missions.”

House appropriator sees ‘room for improvement’ in NASA funding for 2027. SpaceNews.com article. Pull quote: ““This package was obviously better than we originally anticipated, but that doesn’t mean there isn’t room for improvement,” she [Rep Meng (D,NY)]said of the fiscal year 2026 minibus. “We want to, at the very least, hold to a minimum what we were able to collectively accomplish for this fiscal year.””

Blue Origin flies first New Shepard mission of 2026. SpaceNews.com article. Pull quote: “A sixth customer had originally been announced for the flight: Andrew Yaffe, a businessman and traveler. However, Blue Origin said Jan. 20 that he was unable to fly on NS-38 because of an illness and will instead go on a future mission. He was replaced by Laura Stiles, director of New Shepard launch operations. Stiles joined the company in 2013 and has worked in multiple New Shepard roles, including as “Crew Member 7,” the person who leads training for New Shepard crews.”

Damaged Shenzhou-20 spacecraft survives reentry, Shenzhou-23 arrives at spaceport. SpaceNews.com article. Pull quote: “Shenzhou-21 mission commander Zhang Lu and crewmate Wu Fei conducted an extravehicular activity Dec. 9 (UTC), inspecting the damaged window from outside the spacecraft. The astronauts applied a patch, delivered in Shenzhou-22, to the window from the inside, designed to improve the spacecraft’s heat protection and sealing capabilities during reentry.”

The Sky is Full of Secrets: Glaring Vulnerabilities Discovered in Satellite Communications. HomelandSecurityNewswire.com article. Pull quote: “Close to half of the communications beamed from satellites to the ground that the researchers were able to listen in on were not encrypted. This included sensitive data including cellular text messages, voice calls, as well as sensitive military information, data from internal corporate and bank networks, and the in-flight online activity of airline passengers.”

Tomorrow.io unveils DeepSky: constellation of large satellites and instruments. SpaceNews.com article. Pull quote: ““Operational resilience now depends on treating atmospheric data with the same rigor as any other mission-critical infrastructure,” said Nikhil Ahuja, Amazon senior director, planning and supply chain. “The advancement in sensing and rapid refresh frequency DeepSky enables creates a new class of AI-driven decision systems that are more adaptive and localized. This evolution will define the future of the world’s largest-scale operations.””

Trump Declared a Space Race With China. The US Is Losing. Wired.com article. Pull quote: “Today, much of the world drives Chinese electric cars, powers their homes with Chinese solar panels, and stays in touch with made-in-China phones. Chinese scientists have eclipsed their American counterparts in the production of high-quality research, and the White House has responded by gutting American science funding and charging $100,000 to let in highly skilled immigrants. So if Chinese astronauts step down from their lander and livestream the results in 4K—and to be clear, it’s still an “if” at this point—it’ll be more than a point of national pride for Beijing. It’ll be a declaration that the American Century is officially over.”

Expandable space stations are back… well at least Max Space thinks they are. UFOFeed.com article. Pull quote: “Expandable, fabric-based structures allow designers to maximize volume while staying within the mass and size limits of current launch vehicles. NASA has previously tested inflatable modules in orbit, demonstrating that layered “soft-goods” structures can provide effective protection against micrometeoroids, radiation, and pressure loss. Max Space’s aim is to scale that heritage into a standalone destination rather than an auxiliary module. If successful, this could significantly reduce the cost and complexity of maintaining a human presence in orbit.”

Backlog List

• Should we be moving data centers to space?

• Beyond the horizon: cost-driven strategies for space-based data centers,

• China launches experimental cargo spacecraft, opaque tech demo mission and remote sensing satellite,

• Why Even Consider Space Now? Because The Earth-Side Constraints Got Loud,

• MAVEN telemetry shows changes to spacecraft orbit and rotation,

• SpaceX claims close approach to Starlink satellite by payload from Chinese launch,

• Digantara raises $50 million to expand from space surveillance to missile defense,

• OQ Technology links commercial IoT chipset to LEO satellite,

• Interstellar comet 3I/ATLAS makes its closest approach to Earth tonight: Here's what you need to know, and

• Oh look, yet another Starship clone has popped up in China.

Chemical Incident Reporting – Week of 1-17-26

NOTE: See here for series background.

Port Panama City, FL – 1-8-26

Local News Report: Here, here, here, and here.

There was a chemical incident here a muriatic acid cloud was formed during cleaning of a bulk cargo vessel. Muriatic acid was used to clean out hold containing cement residue. The heat of the acid/base reaction caused a muriatic acid cloud to form. 11 people were transported to hospital for exposure to the fumes. At least one person was admitted to the hospital.

Not CSB reportable, transportation related incident.

Plumstead Township, PA – 1-21-26

Local News Report: Here, here, here, and here.

There was a fluorine gas leak at a medical gas company. No injuries were reported. There was no information on the amount of the leak or any reported damages.

Not CSB reportable.

OMB Approves PHMSA Space Related Hazmat Transportation ANPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an advanced notice of proposed rulemaking (ANPRM) from DOT’s Pipeline Hazardous Material Safety Administration (PHMSA) on “Hazardous Materials: Modernizing Regulations to Facilitate Transportation of Spacecraft and Space Related Hazardous Materials”. This rulemaking was sent to OIRA on December 19^th, 2025.

According to the Spring 2025 Unified Agenda for this rulemaking:

“In this rulemaking, PHMSA would amend the Hazardous Materials Regulations (HMR) to modernize and streamline the HMR, where necessary, to facilitate the transportation of hazardous materials involved in U.S. space operations. PHMSA will aim to identify problems and friction with the current regulatory scheme and potentially reduce burdens on both PHMSA and the regulated community while advancing U.S. interests in the space industry. PHMSA would coordinate closely with its interagency partners (Department of Defense, National Aeronautics and Space Administration, etc.) and its modal partners (Federal Aviation Administration, Federal Motor Carrier Safety Administration, Federal Railroad Administration, and U.S. Coast Guard) to ensure a comprehensive approach that allows for the seamless movement of goods across multiple modes of transport while allowing for the specific needs of each mode to be safely addressed.”

This rulemaking was approved ‘subject to change’, so that may impact on how quickly this ANPRM ill be published in the Federal Register. It may appear there as early as next week.

CSB Applauds St Louis Board of Aldermen’s Actions

Following up on Tuesday’s recommendation status update, yesterday the Chemical Safety Board (CSB) formally recognized the actions of the St Louis, MO Board of Aldermen for their response to the CSB’s recommendations from the investigation of the Loy Lange Box Company explosion in 2017. The Aldermen recently updated local ordinances that “standardize in-service inspections for pressure vessels and establish minimum qualifications for personnel conducting in-service inspections of boilers and pressure vessels.” The Board continues to work with the Mayor of St Louis to resolve the final outstanding recommendation from that incident investigation.

Review – Public ICS Disclosures – Week of 1-17-26 – Part 1

We have a moderately busy disclosure week. For Part 1 we have 10 vendor disclosures from Beckhoff, Belden, B&R Automation (2), Carrier, Fujitsu, Hitachi, and HPE (3).

Advisories

Beckhoff Advisory - CERT-VDE published an advisory that describes a cross-site scripting vulnerability in their TwinCAT 3 HMI Server.

Belden Advisory - Belden published an advisory that discusses an improper handling of length parameter inconsistency vulnerability (that is listed in CISA’s KEV catalog) in their Connectivity Suite product.

B&R Advisory #1 - B&R published an advisory that describes an allocation of resources without limit or throttling vulnerability in their Automation Runtime products.

B&R Advisory #2 - B&R published an advisory that describes an improper certificate validation vulnerability in their Automation Studio product.

Carrier Advisory - Carrier published an advisory that describes a storing password in a recoverable format vulnerability in their Automated Logic WebCTRL and Carrier i-Vu products.

Fujitsu Advisory - CERT-JP published an advisory that describes an uncontrolled search path element vulnerability in the Fujitsu ServerView Agents for Windows.

Hitachi Advisory - Hitachi published an advisory that discusses 28 vulnerabilities in their Disk Array systems.

HPE Advisory #1 - HPE published an advisory that discusses 19 vulnerabilities (4 with publicly available exploits, 1 listed in KEV catalog) in their Telco Universal SLA Management product.

HPE Advisory #2 - HPE published an advisory that discusses an out-of-bounds rite vulnerability in their Telco IP product (ONMS Adapter).

HPE Advisory #3 - HPE published an advisory that describes a privilege escalation vulnerability in multiple HPE products utilizing the Alletra OS.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-407 - subscription required.

Short Takes – 1-23-26 – Federal Register Edition

Notice and Request for Comment; Proposal for a New United Nations Global Technical Regulation on Automated Driving Systems (ADS). Federal Register NHTSA request for comments. Summary: “The United Nations Working Party on Automated/Autonomous and Connected Vehicles (GRVA), under the World Forum for the Harmonization of Vehicle Regulations (WP.29) at United Nations Economic Commission for Europe (UNECE), has proposed a draft Global Technical Regulation (GTR) for Automated Driving Systems (ADS). NHTSA is seeking public comment on the draft GTR to help inform the U.S. government's position, including how that position could relate to any future domestic actions regarding the safety and performance of Automated Driving Systems.” Comments due: February 23^rd, 2026.

Request for Comment on Vestigial Vehicle Safety Regulations. Federal Register NHTSA request for comments. Summary: “In alignment with the Department's ongoing commitment to regulatory reform and the promotion of automotive innovation, NHTSA is seeking public comment to identify requirements and test procedures within the Federal Motor Vehicle Safety Standards (FMVSS) and regulations that no longer serve a functional safety purpose but continue to impose costs, stifle design creativity, or act as barriers to the deployment of new technologies. This request for comment specifically targets technical requirements that hinder the transition to technology-neutral, performance-based standards.”

Pipeline Safety: Distribution Integrity Management Program Considerations for Plastic Piping and Components. Federal Register PHMSA safety advisory bulletin. Summary: “PHMSA is issuing this advisory bulletin to remind owners and operators of natural gas distribution systems of requirements under the distribution integrity management program (DIMP) regulations regarding certain plastic piping and components.”

EO 14376 - Stopping Wall Street From Competing With Main Street Homebuyers. Federal Register.

CISA Adds VMware Vulnerability to KEV Catalog – 1-23-26

Today CISA announced that it had added an out-of-bounds rite vulnerability in the VMware vCenter Server to their Known Exploited Vulnerability (KEV) catalog. The vulnerability was previously disclosed by Broadcom on June 18^th, 2024. It was initially reported by Hao Zheng and Zibo Li from TianGong Team of Legendsec. VMware has new versions that mitigate the vulnerability. In November 2025, SentinelOne published (and updated yesterday) a brief report on the vulnerability with proof-of-concept exploit code.

CISA has directed federal agencies using the affected product to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A compliance date of February 13^th, 2026 has been established.

Review – HR 7147 and HR 7148 Passed in House

Yesterday the House took up the last two spending bills, HR 7147 and HR 7148. After passing the rule for the consideration of the two bills (H Ress 1014) by an expected party-line vote of 214 to 213, they first considered HR 7148, the Consolidated Appropriations Act, 2026 (covering DOD, LHH, and THUD spending). After rejecting the two proposed amendments authorized by the rule, the House passed HR 7148 by a bipartisan vote of 341 to 88 (24 Republicans and 64 Democrats voting Nay). The House then took up HR 7147, the Department of Homeland Security Appropriations Act, 2026. They passed that bill by a near party-line vote of 220 to 207 (1 Republican voting Nay and 7 Democrats voting Yeah).

 

For more details about these bills, including DHS extenders and legislative poison pills, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7147-and-hr-7148-passed-in-house - subscription required. Free subscription holders will receive a delayed copy of the premium CFSN article.

Review – Bills Introduced – 1-22-26

Yesterday, with just the House in Washington, and the Senate meeting in pro forma session, there were 47 bills introduced. There is one bill that will be covered in this blog:

HR 7208 To direct the Secretary of Commerce to submit a report assessing vulnerabilities to the electric grid in the United States from certain Internet-connected devices and applications, and for other purposes. Crenshaw, Dan [Rep.-R-TX-2]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill requiring the use of AI in reviewing federal regulations, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-22-26 - subscription required.