Review – 12 Advisories and 3 Updates Published – 1-15-26

Today CISA’s NCCIC-ICS published 15 control system security advisories for products from Siemens (9), Schneider Electric, Festo, and AVEVA. They also updated advisories for products from Mitsubishi Electric (2) and Axis Communications.

Advisories

SIMATIC Advisory #1 - This advisory describes five vulnerabilities in the Siemens SIMATIC CN 4100 communications node.

NOTE: I briefly mentioned these vulnerabilities on December 14^th, 2026.

SIMATIC Advisory #2 - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC and SIPLUS product lines.

RUGGEDCOM Advisory #1 - This advisory describes six vulnerabilities in the Siemens RUGGEDCOM ROX II family.

NOTE: I briefly mentioned these vulnerabilities on December 14^th, 2026.

RUGGEDCOM Advisory #2 - This advisory discusses four vulnerabilities in the Siemens RUGGEDCOM APE1808 Devices.

RUGGEDCOM Advisory #3 - This advisory describes an improper input validation vulnerability in the Siemens RUGGEDCOM ROS products.

NOTE: I briefly mentioned these vulnerabilities on December 14^th, 2026.

Industrial Edge Advisory #1 - This advisory describes an authorization bypass through user controlled key vulnerability in the Siemens Industrial Edge Device Kit.

Industrial Edge Advisory #2 - This advisory describes an authorization bypass through user controlled key vulnerability in the Siemens Industrial Edge Devices.

SINEC Advisory - This advisory describes two vulnerabilities in the Siemens SINEC Security Monitor.

NOTE: I briefly mentioned these vulnerabilities on December 14^th, 2026.

TeleControl Advisory - This advisory describes execution with unnecessary privileges vulnerability in the Siemens TeleControl Server Basic.

Schneider Advisory - This advisory describes two vulnerabilities in the Schneider EcoStruxure Power Build Rapsody.

Festo Advisory - This advisory describes an insufficient technical documentation vulnerability in multiple Festo products.

I briefly discussed this vulnerability on December 3^rd, 2022.

AVEVA Advisory - This advisory describes seven vulnerabilities in the AVEVA Process Optimization product.

Updates

Mitsubishi Update #1 - This update provides additional information on the MC Works64 Products advisory that was originally published on July 26^th, 2022, and most recently updated on July 24^th, 2025.

NOTE: I briefly discussed this updated information on January 10^th, 2026.

Mitsubishi Update #2 - This update provides additional information on the FA Engineering Software Products advisory that as originally published on May 14^th, 2024, and most recently updated on August 28^th, 2025.

Axis Update - This update provides additional information on the Camera Station Pro advisory that was originally published on December 18^th, 2025.

 

For more information on these advisories, as well as an ongoing discussion about CISA format changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-advisories-and-3-updates-published - subscription required.