Chemical Incident Reporting – Week of 2-14-26

NOTE: See here for series background.

TWITTER: Chemical Incident Reporting – Week of 2-14-26 –

Janesville, WI – 2-12-26

Local News Report: Here, here, here, and here.

There was a steam explosion at a food processing facility. Two people were transported to a hospital with burns, one was sent onward to a burn unit. No reports yet on the amount of damages at the facility.

CSB reportable.

Alington, VT– 2-15-26

Local News Report: Here, here, here, and here.

There was a fuel tanker rollover accident with a release of fuel into a local stream. Responders dammed the stream so that the spilled fuel could be recovered. The driver received minor injuries.

Not CSB reportable, this was a transportation related incident.

Fairfield, OH – 2-17-26

Local News Report: Here, here, here, and here.

There was an explosion and fire at a food treatment facility. One worker was killed and two were transported to local hospitals. No reports yet on the amount of damages at the facility.

CSB reportable.

Toledo, OH – 2-20-26

Local News Report: Here, here, here, and here.

There was an anhydrous ammonia leak from a refrigeration system at a food processing facility. The facility was evacuated and a shelter-in-place order was put in place for the surrounding area. No injuries or damages were reported.

Not CSB reportable.

Review – Bills Introduced – 2-20-26

Yesterday, with the House meeting in pro forma session, there were 41 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7625 To direct the Comptroller General of the United States to conduct a review of the budget, resources, and capabilities of the Coast Guard as the co-Sector Risk Management Agency for the marine transportation system. McDowell, Addison P. [Rep.-R-NC-6]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing about a bill that would provide individuals tax credits for the recently vacated presidential tariffs, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-20-26 - subscription required.

Review – Public ICS Disclosures – Week of 2-14-26 – Part 1

This was a moderately busy disclosure week. For Part 1 we have bulk vendor disclosures from HPE (6). We have 12 additional vendor disclosures from Arista, Broadcom (2), B&R Automation, Dassault Systems (4), Hitachi, HP, Philips, and Sick.

Bulk Vendor Disclosures – HPE

• HPESBHF04864 rev.1 - Certain HPE SimpiVity Servers Using Certain Intel Processors, INTEL-SA-01244, 2025.2 IPU, Intel Processor Advisory, Local Denial of Service Vulnerability,

• HPESBNW04983 rev.1 - HPE Telco Service Orchestrator software, Prototype Pollution Vulnerability,

• HPESBHF04967 rev.1 - Certain HPE SimpliVity Servers Using Certain Intel Processor BIOS, INTEL-SA-01234, 2025.3 IPU, UEFI Reference Firmware Advisory., Multiple Vulnerabilities,

• HPESBNW05011 rev.1 - Telco Service Activator, Improper Input Validation,

• HPESBNW05012 rev.1 - Local Privilege Escalation Vulnerability in HPE Aruba Networking ClearPass Policy Manager (CPPM) OnGuard Software for Linux,

• HPESBNW04998 rev.1 - Prototype Pollution Vulnerability in HPE Telco Network Function Virtualization Orchestrator

Advisories

Arista Advisory - Arista published an advisory that describes an operation on a resource after expiration or release vulnerability on multiple platforms running their EOS software.

Broadcom Advisory #1 - Broadcom published an advisory that discusses an improper neutralization of a NULL byte or NUL character vulnerability in their Brocade SANnav base OS.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an out-of-bounds write vulnerability in their Brocade SANnav OVA products.

B&R Advisory - B&R published an advisory that discusses 25 vulnerabilities in their Automation Studio product.

Dassault Advisory #1 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIAvpm Web Access product.

Dassault Advisory #2 - Dassault published an advisory that describes an out-of-bounds write vulnerability in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Dassault Advisory #3 - Dassault published an advisory that describes an out-of-bounds read vulnerability in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Dassault Advisory #4 - Dassault published an advisory that describes a use of uninitialized variable in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Hitachi Advisory - Hitachi published an advisory that discusses 72 vulnerabilities in their Disk Array Systems. These are third-party (Microsoft) vulnerabilities.

HP Advisory - HP published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Samsung MultiXpress Multifunction Printers.

Philips Advisory - Philips published an advisory that discusses a Google Chrome use after free vulnerability.

Sick Advisory - Sick published an advisory that discusses two Eclipse Cyclone DDS vulnerabilities.

 

For more information on these disclosures, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-fb5 - subscription required.

Chemical Transportation Incidents – Week of 1-17-26

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

NOTE: PHMSA resumed making their database publicly searchable on February 17^th, 2026.

Incidents Summary

• Number of incidents – 387 (349 highway, 36 air, 1 rail, 1 water)

• Serious incidents – 2 (0 Bulk release, 1 evacuation, 1 injury, 0 death, 0 major artery closed, 3 fire/explosion, 42 no release)

• Largest container involved – 4,378-gcf DOT 112J340W Railcar {Liquefied Petroleum Gas} Undescribed leak.

• Largest amount spilled – 55-gal Plastic Drum {Corrosive Liquids, N.O.S.} Other container fell on plastic drum.

• Total amount reported spilled in all incidents – 676.2-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Heptanes - Clear colorless liquids with a petroleum-like odor. Flash point 25°F. Less dense than water and insoluble in water. Vapors heavier than air. (Source: CameoChemicals.NOAA.gov).

 

Short Takes – 2-20-26 – Federal Register Edition

Notice of Request for Extension of Approval of an Information Collection; Emergency Management Response System. Federal Register USDA/APHIS 60-day IUCR renewal – Summary: “When a potential foreign animal disease incident is reported, APHIS or State animal health officials dispatch a foreign animal disease veterinary diagnostician to the premises of the reported incident to conduct an investigation. The diagnostician obtains vital epidemiological data by conducting field investigations, including sample collection, and by interviewing the owner or manager of the premises being investigated. These important data, submitted electronically by the diagnostician into EMRS, include such items as the purpose of the diagnostician's visit and suspected disease, type of operation on the premises, the number and type of animals on the premises, the number of sick or dead animals on the premises, the results of physical examinations of affected animals and necropsy examinations, vaccination information on the animals in the herd or flock, biosecurity practices at the site, whether any animals were recently moved out of the herd or flock, whether any new animals were recently introduced into the herd or flock, the number and kinds of test samples taken, and detailed geographic data concerning the premises location.”

Pipeline Safety: Incident Notifications to the National Response Center. Federal Register PHMSA issuance of advisory bulletin. Summary: “PHMSA is issuing this advisory bulletin to remind operators of gas pipelines, underground natural gas storage (UNGS) facilities, and liquefied natural gas (LNG) facilities of their obligation to report incidents in accordance with PHMSA's incident reporting requirements. This advisory bulletin addresses a safety recommendation [link added] that the National Transportation Safety Board (NTSB) issued to PHMSA in response to a fatal incident that occurred on a gas distribution system in February 2018.”

Notice of Availability of the Final Tiered Environmental Assessment and Finding of No Significant Impact/Record of Decision for Updates to Airspace Closures for Additional Launch Trajectories and Starship Boca Chica Landings of the SpaceX Starship-Super Heavy Vehicle at the SpaceX Boca Chica Launch Site in Cameron County, Texas. Federal Register FAA notice of availability. Summary: “In accordance with the National Environmental Policy Act of 1969, as amended (NEPA) and FAA Order 1050.1G, FAA National Environmental Policy Act Implementing Procedures, the FAA is announcing the availability of the Final Tiered Environmental Assessment and Finding of No Significant Impact/Record of Decision for Updates to Airspace Closures for Additional Launch Trajectories and Starship Boca Chica Landings of the SpaceX Starship-Super Heavy Vehicle at the SpaceX Boca Chica Launch Site in Cameron County, Texas (Final Tiered EA and FONSI/ROD).”

Extension of Postponement of Effectiveness for Certain Provisions of Trichloroethylene (TCE); Regulation Under the Toxic Substances Control Act (TSCA). Federal Register EPA extension of postponement of effectiveness. Summary: “The Environmental Protection Agency (EPA or Agency) is extending the postponement of the effectiveness of certain regulatory provisions of the final rule entitled “Trichloroethylene (TCE); Regulation Under the Toxic Substances Control Act (TSCA)” for an additional 90 days. Specifically, this postponement applies to the conditions imposed on the uses with TSCA section 6(g) exemptions.”

OMB Declines Generic CDC Traveler Screening ICR Approval

 Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had disapproved an information collection request (ICR) from the Centers for Disease Control (CDC) on “[NCZEID] Traveler Risk Assessment and Management Activities During Disease Outbreaks”. The 60-day ICR notice was published on June 16^th, 2025. The 30-day ICR notice was published on October 2^nd, 2025.

According to the discussion in the 60-day ICR notice:

“Disease outbreaks do not occur at regular intervals, which makes it difficult to estimate how often information collection will be necessary. The purpose of this Generic ICR is to aid in CDC's responsibility to ensure the successful implementation of traveler management in an efficient and timely manner. DGMH intends use this Generic ICR in the event of a disease outbreak that would necessitate the public health assessment and/or monitoring of travelers arriving in the U.S. Although it is possible to anticipate some broad categories of information that would need to be collected, (e.g., potential exposures, symptoms, contact information, etc.), each response is unique and requires flexibility in terms of the specific information collection tool in each instance. Data collection instruments and methods must be rapidly created and implemented to direct appropriate public health action. Often specific questions will change, or new questions will evolve with each disease outbreak.”

In disapproving the proposed generic ICR, OIRA explained:

“Generics are generally voluntary, low-burden (based on a consideration of total burden, total respondents, or burden per respondent), and uncontroversial, thus the collections proposed do not seem appropriate for a generic clearance. CDC is welcome to continue to seek emergency clearance as needed during disease outbreaks.”

I suspect that the disapproval of this ICR is more a response to the problems associated with the management of the COVID epidemic than purely a purely ICR program management decision. While the COVID response should inform a more effective response to the next pandemic, this programmatic response from OIRA rejects that intent.

NASA Releases Starliner CFT Investigation Report

Today NASA announced the release of their report on the 2024 Starliner crewed flight test (CFT) that resulted in the two-person crew remaining on the ISS while the Starliner returned to Earth uncrewed. The two crew members returned much later on a special Crew-Dragon flight. While no one died in this incident, this report will probably end up ranking with the Columbia and Endeavor reports in importance to US manned space flight programs.

The quote about the report that is catching the most attention comes from the announcement today where NASA Administrator Jared Isaacman noted: “Beyond technical issues, it is clear that NASA permitted overarching programmatic objectives of having two providers capable of transporting astronauts to-and-from orbit, influence engineering and operational decisions, especially during and immediately after the mission.”

For more detailed discussions about the report and its importance, see the articles here and here.

Review – 4 Advisories Published – 2-19-26

Today CISA’s NCCIC-ICS published four control system security advisories for products from Welker, Jinan USR IOT Technology, Valmet, and EnOcean Edge.

Advisories

Welker Advisory - This advisory describes a missing authentication for critical function vulnerability in the Welker OdorEyes EcoSystem.

Jinan Advisory - This advisory describes four vulnerabilities in the Jinan USR-W610 Wi-Fi router.

Valmet Advisory - This advisory describes a path traversal vulnerability in the Valmet DNA Engineering Web Tools.

EnOcean Advisory - This advisory describes two vulnerabilities in the EnOcean Smart Server IoT products.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-2-19-26 - subscription required.

Review – HR 7338 Introduced – RSAC Codification

Earlier this month Rep Sykes (D,OH) introduced HR 7338, the Railroad Safety and Accountability Act. The bill would codify the establishment and operation of the Railroad Safety Advisory Committee (RSAC) which was established by DOT’s Federal Railroad Administration (FRA) in 1996. It would amend 49 USC by adding a new §20122, Railroad Safety Advisory Committee. The bill would authorize “such funds as would be necessary” from the Highway Trust Fund for the operations of the RSAC.

The RSAC was effectively terminated in August of 2025 as part of the Administration’s efforts to recraft advisory committees to reflect their policy agendas. In January 2026, the FRA announced the reestablishment of the Charter for the RSAC in the Federal Register. There are not yet any members appointed to the ‘new’ RSAC.

Moving Forward

Sykes is a member of the House Transportation and Infrastructure Committee to which this bill is assigned for consideration. This means that there could be sufficient influence to see this bill considered in Committee. While the provisions of this bill would appear to be relatively uncontroversial, I suspect that there may be some Administration push-back because of a perceived criticism of how they mistreated the previous RSAC. Still, I expect that this bill would receive some level of bipartisan support were it to be considered, but I am not confident that it would be sufficient to allow the bill to be considered by the full House under the suspension of the rules process.

Commentary

Advisory committees like RSAC provide regulatory agencies with an invaluable tool to help them develop workable regulatory schemes to deal with a wide variety of safety and security issues. The varied backgrounds and agendas of the members provide the parent agency with a variety of perspectives that are not available in-house. This helps those agencies avoid unanticipated problems with the publish and comment process of regulatory development.

 

For more information on the provisions of this bill, including additional commentary on Congress utilizing the expertise of advisory committees, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7338-introduced-rsac-codification - subscription required.

CSB Publishes Volume 4 of Their Incident Reports Series – 2-18-26

Yesterday the Chemical Safety Board (CSB) announced the publication of the fourth volume of their Incident Reports Series. This volume provides 13 investigation summaries of incidents reported since 2020. The investigations were not conducted by the CSB, but rather by the affected companies. Volume 1 (26 incidents) was published in January, 2025, Volume 2 (25 incidents) in March 2025, and Volume 3 (30 incidents) in July 2025.

While these investigation reports are not up to the technical standards of the CSB, they still provide valuable insights into how accidental releases occur in the chemical industry. Readers are going to have to deduce and apply the lessons learned as there are no recommendations from the Board at the end of these reports.

That these companies are willing to publicly share their accident investigation results with the public through the auspices of the CSB positively reflect on the chemical safety investigations and outreach efforts of the Board. The idea that unrelated entities can learn from the mistakes of others in the realm of chemical safety is the largest legacy of this underfunded agency. It is heartening to see that Congress remains willing and able to continue to fund the CSB even in the face of the anti-government agenda of the current administration.

Administrative Note: Volume 4 is not yet listed on the CSB’s Incident Reporting Rule Submission Information and Data page where the other three volumes are reported. I expect that this administrative oversight will be corrected in the near future.

NRC Sends Foreign Ownership Direct Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a direct final rule from the Nuclear Regulatory Commission (NRC) on “Exceptions from Foreign Ownership, Control, or Domination [NRC-2024-0218]”. This rulemaking is supporting the requirements of §301 of the Accelerating Deployment of Versatile, Advanced Nuclear for Clean Energy Act of 2024 (Division B of PL 118-67, 138 STAT. 1465).

The Spring 2025 Unified Agenda entry for this rulemaking notes:

“This rulemaking would amend the NRC’s regulations to comply with Section 301 of the Accelerating Deployment of Versatile, Advanced Nuclear for Clean Energy Act of 2024, which has designated certain exclusions from the foreign ownership, control, or domination provision set forth in the Atomic Energy Act of 1954, as amended. This rulemaking would affect applicants and licensees of commercial nuclear power reactor or non-power production or utilization facilities that are owned, controlled, or dominated by a foreign entity.”

I am not expanding coverage of this blog to include the NRC; really, I am not. This rulemaking just caught my interest. I do not expect that there will be any detailed coverage of this rule here, but I will almost certainly mention its publication in the Federal Register in the appropriate Short Take post.

Review – EPA Publishes Hazardous Substance Facility Response Plans ANPRM

Today the EPA published an advanced notice of proposed rulemaking in the Federal Register (91 FR 7415-7420) on: “Clean Water Act Hazardous Substance Facility Response Plans; Amendment Reconsideration”. This rulemaking seeks feedback on potential amendments to address implementation challenges and clarify requirements from the 2024 final rule.

Background Information

The preamble to this ANPRM provides a detailed discussion about the provisions of the 2024 rulemaking. It then goes on to discuss the implementation issues that have arisen since that final rule was put into place. These include issues related to facility applicability and program implementation.

Public Comments

The EPA is soliciting public comments on this ANPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # EPA-HQ-OLEM-2025-1707). Comments should be submitted by March 20^th, 2026.

 

For more information about this proposed rulemaking, including a look at the questions the EPA is providing for consideration, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-hazardous-substance - subscription required.

NRC Sends Modernizing Security for Nuclear Materials NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the Nuclear Regulatory Commission (NRC) on “Modernizing Requirements Relating to Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material [NRC-2025-1238]”. This rulemaking was not listed in the Spring 2025 Unified Agenda.

The rulemaking would appear to be targeting amendments to 10 USC Part 37, Physical protection of category 1 and category 2 quantities of radioactive material. This Part was included as one of the recent regulatory revisions published on December 3^rd, 2025, where the NRC placed portions of regulations under a new sunset provision (in this case sunsetting on January 8^th, 2027), so this rulemaking should also serve as the first 5 year extension of that sunset.

According to an NRC memo on FY 2026 regulatory priorities:

“This initiative aims to modernize the NRC's regulations by removing unnecessary requirements relating to physical protection and security of category 1 and category 2 quantities of radioactive material, while maintaining safety and security. The NRC anticipates the proposed rule to be published in March 2026.”

According to that memo, the listed regulatory efforts (including this rulemaking) are being proposed in response to EO 14300, Ordering the Reform of the Nuclear Regulatory Commission. It also notes that the proposed rulemakings “are deregulatory and are expected to result in cost savings to both NRC and Industry stakeholders”.

This rulemaking is generally outside of the scope of this blog, but it deserves mention as it deals with chemical security in the most extreme case.

Review – 4 Advisories Published – 2-17-26

Today CISA published four control system security advisories for products from Honeywell, GE Vernova, Delta Electronics, and Siemens.

Advisories

Honeywell Advisory - This advisory describes a missing authentication for critical function vulnerability in the Honeywell CCTV Products.

GE Advisory - This advisory describes two vulnerabilities in the Vernova Enervista UR Setup tool.

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta ASDA-Soft configuration software.

NOTE: I briefly discussed this vulnerability on February 7^th, 2026.

Siemens Advisory - This advisory that describes six vulnerabilities in their Simcenter Femap and Nastran products.

NOTE: I briefly discussed these vulnerabilities on February 14^th, 2026.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-2-17-26 - subscription required.

Review – HR 7257 Introduced – State Energy Plans

Last month Rep Latta (R,OH) introduced HR 7257, the Securing Community Upgrades for a Resilient (SECURE) Grid Act. The bill would amend 42 USC 6326 to require States to include local distribution systems in their State Energy Security Plans described in that section. No new funding is authorized by this legislation.

The bill is similar to HR 9083 that was introduced by Latta in July 2024. No action was taken on that bill in the 118^th Congress. While similar in intent, HR 7257 is a substantial rewrite. Some of the changes of interest include:

Modifying the proposed definition of the term ‘local distribution systems’ by increasing the maximum voltage from 35 kilovolts to 100 kilovolts,

Removing the proposed language being added to (b)(2)(B) referencing “energy supply disruptions resulting from increased demand on the electric grid, deteriorating assets [emphasis added], and physical and cybersecurity threats”, and

Removing from the proposed language revision in (b)(3) reference to “risks and liabilities posed by human error or mismanagement”.

Moving Forward

Latta and his two cosponsors are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that there will be some level of bipartisan support for this bill in Committee. Whether that support would be sufficient to see the bill considered in the Full House under the suspension of the rules remains to be seen.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7257-introduced-state-energy-plans - subscription required.

Review - HR 7266 Introduced – Utility Cybersecurity Grants

Last month Rep Miller-Meeks (R,IA) introduced HR 7266, the Rural and Municipal Utility Cybersecurity Act. The bill would rewrite 42 USC 18723, the Rural and municipal utility advanced cybersecurity grant and technical assistance program, to update and reauthorize that program. The existing $250 million annual authorization for the program would be extended through 2030.

The existing Rural And Municipal Utility Advances Cybersecurity Grant And Technical Assistance Program was authorized in 2021 by §40124 of the Infrastructure Investment and Jobs Act (PL 117-58, 135 STAT 953). There is no sunset provision in this statute, but the spending authorization is only included through FY 2026.

Moving Forward  

Miller-Meeks, and her two cosponsors, are all members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that there would be significant bipartisan support for this bill, which should allow for it to be considered by the full House under the suspension of the rules process. That would mean limited debate, no floor amendments, and it would require a super majority for passage.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7266-introduced-utility-cybersecurity - subscription required.

Review – HR 6846 Introduced – UAS Threat Assessment

Back in December, Rep Crane (R,AZ) introduced HR 6846, the Detecting and Evaluating Foreign Exploitation of Novel Drones (DEFEND) Act. The bill would amend the Homeland Security Act of 2002 by adding a new section; §324, Annual assessment on terrorism threats to the United States relating to the use of unmanned aircraft systems by covered foreign adversaries, including terrorist organizations. No new funding is authorized by this bill.

I can find no legislation in the 118th Congress that would be similar to HR 6846. To date no congressional action has been taken on this bill.

Moving Forward

Crane and all five of his cosponsors are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I would expect that the bill would receive bipartisan support, and that support should be sufficient to see the bill considered in the full House under the suspension of the rules process.

Commentary

While the bill’s description of the information to be included in the assessment would seem to be comprehensive, it has two serious shortcomings. First, it does not include any consideration of the legal aspects of counter UAS operations that currently restrict State, local, and tribal organizations from effectively identifying, tracking and intercepting covered UAS systems. Second, it effectively ignores any potential efforts (and legal restriction on such efforts) by private sector critical infrastructure organizations to protect themselves.

 

For more information on the provisions of this bill, including suggested language to correct the shortcomings identified above, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6846-introduced-uas-threat-assessment - subscription required

Review – Public ICS Disclosures – Week of 2-7-26 – Part 2

 For Part 2 we have five additional vendor disclosures from Arista, HPE, Supermicro, WAGO, and Yokogawa. There are ten vendor updates from Broadcom (3), CODESYS (2), HP, HPE, and Schneider (3). We also have three researcher reports for products from Sante, Linksys, and Solax. Finally, we have three exploits for products from FortiGuard, Palo Alto Networks, and SolarWinds.

Advisories

Arista Advisory - Arista published an advisory that describes six vulnerabilities in their Next Generation Firewall.

HPE Advisory - HPE published an advisory that discusses an improper handling of values vulnerability in their ProLiant DL/ML/XD, Synergy, Edgeline, MicroServer.

Supermicro Advisory - Supermicro published an advisory that discusses 11 vulnerabilities in multiple Supermicro products.

WAGO Advisory - CERT-VDE published an advisory that describes four vulnerabilities in the WAGO Industrial-Managed-Switch 0852-XXXX products.

Yokogawa Advisory - Yokogawa published an advisory that describes six vulnerabilities in their Vnet/IP Interface Package.

Updates

Broadcom Update #1 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on August 1^st, 2023.

Broadcom Update #2 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on May 17^th, 2017.

Broadcom Update #3 - Broadcom published an update for their rsynd advisory that was originally published on September 13, 2022.

CODESYS Update #1 - CODESYS published an update for their CODESYS Control advisory that was originally published on December 1^st, 2025.

CODESYS Update #2 - CODESYS published an update for their CODESYS Control advisory that was originally published on December 1^st, 2025.

HP Update - HP published an update for their LaserJet advisory that was originally published on November 13^th, 2025, and most recently updated on December 10^th, 2025.

HPE Update - HPE published an update for their Aruba Networking EdgeConnect advisory that was originally published on January 14^th, 2026.

Schneider Update #1 - Schneider published an update for their EcoStruxure Power Operation advisory that was originally published on July 8^th, 2025.

Schneider Update #2 - Schneider published an update for their EcoStruxure Foxboro DCS advisory that was originally published on December 9^th, 2025.

Schneider Update #3 - Schneider published an update for their Uni-Telway Driver advisory that was originally published on February 11^th, 2025, and most recently updated on January 13^th, 2026.

Researcher Reports

Linksys Report - SySS Tech published a report that describes six vulnerabilities (with proof-of-concept code) in the Linksys MR9600 and MX4200 routers.

Sante Report - The Zero Day Initiative published a report that describes a buffer overflow vulnerability in the Sante DICOM Viewer Pro.

Solax Report - SEC Consult published a report that describes three vulnerabilities (with proof-of-concept code) in the Solax Power Pocket WiFi models.

Exploits

FortiGuard Exploit - Peter Gabaldon published an exploit for an exposure of sensitive information to an unauthorized actor vulnerability in the FortiGuard FortiGate product.

Palo Alto Networks Exploit - Indoushka published an exploit for four vulnerabilities in the Palo Alto Networks PAN-OS products.

 

For more information about these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-c98 - subscription required.

Short Takes – 2-14-26 – Federal Register Edition

Notice of Intent To Grant an Exclusive, Co-Exclusive or Partially Exclusive Patent License. Federal Register NASA notice of intent to grant patent license. Summary: “NASA intends to grant an exclusive, co-exclusive, or partially exclusive patent license in the United States to practice the inventions described and claimed in: U.S. Patent Nos. 8,593,153 entitled “Method of Fault Detection and Rerouting,” issued on November 26, 2013, and 8,810,255 entitled “In-Situ Wire Damage Detection System,” issued on August 19, 2014, to Sun City Smart Technology Solutions, Inc., having its principal place of business in El Paso, Texas. The fields of use may be limited. NASA has not yet made a final determination to grant the requested license and may deny the requested license even if no objections are submitted within the comment period.”

Notice Hazardous Materials: Notice of Actions on Special Permits. Federal Register notice of actions on special permit applications. Summary: “In accordance with the procedures governing the application for, and the processing of, special permits from the Department of Transportation's Hazardous Material Regulations, notice is hereby given that the Office of Hazardous Materials Safety has granted or denied the application described herein.”

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Rulemaking; Town Hall Meetings. Federal Register CISA meeting notice. Summary: “This notice announces town hall meetings to allow external stakeholders a limited additional opportunity to provide input on refining the scope and burden of the CIRCIA Notice of Proposed Rulemaking (NPRM) issued in the Federal Register on April 4, 2024. The proposed CIRCIA rulemaking seeks to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022, as amended, by implementing covered cyber incident and ransom payment reporting requirements for covered entities.”

EO 14386 - Strengthening United States National Defense With America's Beautiful Clean Coal Power Generation Fleet. Federal Register.

Chemical Incident Reporting – Week of 2-7-26

NOTE: See here for series background.

HOCKLEY, TX– 2-7-26

Local News Report: Here and here.

There was a release of methyl mercaptan fumes from a rail car cleaning facility that caused the evacuation of a nearby school. Two students were transported to a local hospital but they treated and released. There were no physical damages related to this incident.

Not CSB reportable.

Methyl mercaptan is the chemical added in very low concentrations to natural gas and propane as an odorant to aid in detection of gas leaks of those two chemicals. VERY low concentrations in the air produce a detectable and objectionable odor.

I would like to suggest that CSB update their accidental release reporting regulations to add any release that results in the evacuation of a school or medical facility should be a reportable incident under those regulations.

Santa Rosa Beach, FL – 2-11-26

Local News Report: Here, here, and here.

There was an unidentified chemical spill from an unknown vehicle on a public road that released visible fumes. The roadway was blocked and hazmat crews cleaned up the spill. No injuries were reported.

Not CSB reportable, this was a transportation related incident.

This article raised an interesting list of questions about the response to this incident.

Midwest City, OK – 2-12-26

Local News Report: Here and here.

There was a cleaning chemical mixing incident at a food processing facility that resulted in the release of chlorine gas. The 50-gallon drum where the mixing took place was capped and the building was aired out. No injuries were reported and there were no damages related to the incident.

Not CSB reportable.

FCC Sends Satellite Broadband NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the Federal Communications Commission (FCC) on “Modernizing Spectrum Sharing for Satellite Broadband (SB Docket No. 25-157 [link added])”. This rulemaking was not listed in the Spring 2025 Unified Agenda. 

SB Docket 25-157 was opened on April 7^th, 2025. The FCC published a notice of proposed rulemaking for that docket on April 29^th, 2025. It is not clear what relationship exists between that NPRM and the one announced by OIRA yesterday.

I am posting this as part of my limited Space Geek coverage, and do not expect to cover this rulemaking in any detail beyond announcements of OIRA actions and mentions in the appropriate Short Takes posts for Federal Register notices.

Review – Public ICS Disclosures – Week of 2-7-26 – Part 1

This is a relatively busy disclosure week for the week of Cyber Tuesday. We have 43 bulk vendor disclosures from FortiGuard (6), Hitachi (8), HP (8), HPE (14), QNAP (7). We also have 10 bulk updates from Siemens (10). There are also seven other vendor disclosures from Bosch, Meinberg, Pheonix Contact, Schneider (2), and Siemens (2).

Bulk Disclosures – FortiGuard

• Firewall policy bypass in FSSO Terminal Services Agent,

• Format String Vulnerability in CAPWAP fast-failover mode,

• LDAP authentication bypass in Agentless VPN and FSSO,

• Request smuggling attack in FortiOS GUI,

• SSL-VPN Symlink Persistence Patch Bypass, and

• XSS via back button.

Bulk Disclosures – Hitachi

• Multiple Vulnerabilities in Cosminexus HTTP Server,

• Vulnerability in Cosminexus HTTP Server,

• Vulnerability in Cosminexus HTTP Server and Hitachi Web Server,

• Multiple Vulnerabilities in Cosminexus HTTP Server and Hitachi Web Server,

• Multiple Vulnerabilities in Cosminexus,

• Multiple Vulnerabilities in JP1,

• Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center, and

• Multiple Vulnerabilities in Hitachi Command Suite products

Bulk Disclosures – HP

• HP App – Potential Cross-Site Scripting,

• AMD Graphics Driver February 2026 Security Update,

• AMD Processors February 2026 Security Update,

• Certain HP OfficeJet Pro Printers – Denial of Service,

• Intel Chipset Firmware February 2026 Security Update,

• Intel Processor Firmware February 2026 Security Update,

• Certain HP OfficeJet Pro Printers - Information Disclosure, and

• Intel Graphics Software February 2026 Security Update.

Bulk Disclosures – HPE

• Certain HPE ProLiant Servers Using Certain Intel Processor BIOS, INTEL-SA-01406, Intel Quick Assist Technology (Intel QAT) Advisory, Multiple vulnerabilities,

• Certain HPE SimpliVity Servers Using Certain Intel Processors, INTEL-SA-01313, 2025.3 IPU, Intel Xeon Processor Firmware Advisory, Multiple Vulnerabilities,

• Certain HPE SimpliVity Servers Using Certain Intel Processors, INTEL-SA-01280, 2025.3 IPU, Intel Chipset Firmware Advisory, Multiple Vulnerabilities,

• Certain HPE SimpliVity Servers Using Certain Intel Processors, INTEL-SA-01312, Intel TDX Module Advisory, Multiple Vulnerabilities,

• Certain HPE StoreEasy Servers Using Certain Intel Processors, INTEL-SA-01396, 2026.1 IPU, Intel Processor Firmware Advisory, Local Escalation of Privilege Vulnerability,

• Certain HPE ProLiant DL/ML/XD, Synergy, Edgeline and Alletra Servers Using Certain Intel Processors, INTEL-SA-01314, 2025.4 IPU, Intel TDX Module Advisory, Local Escalation of Privilege Vulnerability,

• Certain HPE ProLiant DL/ML/XD, Synergy, Edgeline, and Alletra Servers Using Certain Intel • Processors, INTEL-SA-01397, 2026.1 IPU, Intel Trust Domain Extensions (Intel TDX) module Advisory, Multiple Vulnerabilities,

• Certain HPE ProLiant DL/ML/XD, Synergy, and Alletra Servers Using Certain Intel Processors, INTEL-SA-01401, UPLR1 - Intel Server Firmware Advisory, Local Denial of Service Vulnerability,

• HPE Aruba Networking EdgeConnect SD-WAN Orchestrator, Multiple Vulnerabilities,

• Certain HPE ProLiant AMD DL/XL Servers Using Certain AMD EPYC Processors, AMD-SB-3023:AMD Server Vulnerabilities, Multiple Vulnerabilities,

• HPE Intel E810 Series Ethernet Controllers, INTEL-SA-01171, Intel Ethernet Adapters 800 Series Advisory, Denial of Service Vulnerability,

• Certain HPE StoreEasy Servers Using Certain Intel Processors, INTEL-SA-01314, 2025.4 IPU, Intel TDX Module Advisory, Local Escalation of Privilege Vulnerability,

• Certain HPE StoreEasy Servers Using Certain Intel Processors, INTEL-SA-01397, 2026.1 IPU, Intel Trust Domain Extensions (Intel TDX) module Advisory, Multiple Vulnerabilities, and

• Multiple Vulnerabilities in HPE Aruba Networking Private 5G Core.

Bulk Disclosures – QNAP

• Multiple Vulnerabilities in Media Streaming add-on,

• Multiple Vulnerabilities in Qsync Central,

• Multiple Vulnerabilities in File Station 5,

• Vulnerabilities in Apache,

• Multiple Vulnerabilities in QTS and QuTS hero, 

• Multiple Vulnerabilities in QuTS hero, and

• Vulnerabilities in Samba.

Bulk Updates – Siemens

• Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.1,

• Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.2,

• Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 Devices,

• Denial-of-Service Vulnerability in ET 200 Devices,

• Multiple Vulnerabilities in SiPass integrated,

• Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices,

• DLL Hijacking Vulnerability in Siemens Web Installer used by the Online Software Delivery,

• Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1,

• Vulnerabilities in EFI variable of SIMATIC IPCs, SIMATIC Tablet PCs, and SIMATIC Field PGs, and

• Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.5.

Advisories

Bosch Advisory - Bosch published an advisory that describes four deserialization of untrusted data vulnerabilities in their Rexroth IndraWorks product.

Meinberg Advisory - Meinberg published an advisory that discusses 21 vulnerabilities in their LANTIME product.

Pheonix Contact Advisory - Pheonix Contact published an advisory that discusses an improperly controlled sequential memory allocation vulnerability in their mGuard products.

Schneider Advisory #1 - Schneider published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their SCADAPack and Remote Connect products.

Schneider Advisory #2 - Schneider published an advisory that describes two vulnerabilities in their EcoStruxureTM Building Operation Workstation and EcoStruxureTM Building Operation Webstation products.

Siemens Advisory #1 - Siemens published an advisory that describes six vulnerabilities in their Simcenter Femap and Nastran products.

Siemens Advisory #2 - Siemens published a bulletin that describes an absence of anti-tamper protections and modern exploit mitigation controls in the SIPORT Desktop Client Application.

 

For more information on these disclosures, including links to 3^rd party advisories, and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-fdd - subscription required.

Review – Bills Introduced – 2-13-26

Yesterday, with both the House and Senate in Washington (and preparing to go on a 1 week period of working from home), there were 99 bills introduced. Two of those bills will receive additional coverage here.

HR 7525 To authorize counter-unmanned aircraft system authorities for State, local, territorial, and tribal law enforcement, and for other purposes. Burlison, Eric [Rep.-R-MO-7]

HR 7552 To amend the Chemical and Biological Weapons Control and Warfare Elimination Act of 1991 to impose sanctions on foreign countries in response to acts concerning chemical or biological programs that cause injury to other foreign countries, and for other purposes. Moore, Barry [Rep.-R-AL-1]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-13-26 - subscription required.

Chemical Transportation Incidents – Week of 1-10-26

It has now been two months since DOT’s Pipeline and Hazardous Materials Safety Administration had posted the following notice on its Incident Statistics web page:

HazmatIncidentReportSearchTool
The ability to download pdf copies of incident filings or download complete datasets of the search results has been temporarily disabled. If you need pdf copies of incidents or relevant search criteria, please email relevant incident numbers to HMRequests@dot.gov.

This appears to have gone completely beyond any possibility of technical problems with the database. It looks like it is part and parcel of the attempts of the current administration’s ongoing efforts to reduce public access to information collected by the federal government.

The information in this database is safety information that should be readily available (and ‘readily’ specifically means searchable) to the public. PHMSA needs to restore public access to this information.

OMB Approves CISA CVD Program ICR – 2-12-26

Yesterday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a new information collection request (ICR) from CISA on “CISA Coordinated Vulnerability Disclosure (CVD) Platform”. The 60-day ICR notice was published on October 30^th, 2024. The 30-day ICR notice was published on August 20^th, 2025.

The Supporting Document CISA submitted to OIRA as part of this ICR approval process noted that:

“CISA is also authorized to carry out these Coordinated Vulnerability Disclosure (CVD) functions by 6 U.S.C. 659(n) on Coordinated Vulnerability Disclosure, which authorizes CISA to in coordination with industry and other stakeholders, may develop and adhere to DHS policies and procedures for coordinating vulnerability disclosures.”

It also notes that:

“The intent of this form is to allow the public to provide information for exploited vulnerabilities that are not in the CISA Coordinated Vulnerability Disclosure (CVD) system. The submitted information will be evaluated by CISA and if CVD requirements are met, then the vulnerability would be CVD eligible. By expanding CVD, those who are required, and those who utilize the CVD system, are alerted to new additions. This allows for greater knowledge and visibility of exploited vulnerabilities and allows for enhanced vulnerability management.”

The table below shows the approved burden estimate for the ICR.

 

This ICR approves the use of two online information collections:

VINCE.pdf, and

CERT Vulnerability Notes Database.pdf

NOTE: The ICR Information Collection page list does not provide links to the ICs. Both of these pages are part of the Carnegie Mellon University, Software Engineering Institute, vulnerability reporting site.

Review – 10 Advisories and 1 Update Published – 2-12-26

Today CISA’s NCCIC-ICS published ten control system security advisories for products from Airleader, Hitachi Energy, and Siemens (8). They also updated an advisory for products from Mitsubishi.

Siemens published two other advisories and 10 updates this week that were not covered by CISA. I will cover them this weekend in my Public ICS Disclosure posts.

Advisories

Airleader advisory - This advisory describes an unrestricted upload of file with dangerous type vulnerability in the Airleader Master compressor management controller.

Hitachi Energy - This advisory describes a use of default credentials vulnerability in the Hitachi Energy SuprOS product.

NOTE: I briefly discussed this vulnerability on January 31^st, 2026.

NX Advisory - This advisory describes three vulnerabilities in the Siemens NX CAD software.

Siveillance Advisory - This advisory discusses a missing authorization vulnerability in the Siemens Siveillance Video Management Servers.

SINEC Advisory #1 - This advisory discusses 51 vulnerabilities in the Siemens SINEC OS. These are third-party vulnerabilities.

SINEC Advisory #2 - This advisory describes two uncontrolled search path element vulnerabilities in the SINEC NMS and UMC products.

Solid Edge Advisory - This advisory describes an out-of-bounds read vulnerability in the Siemens Solid Edge products.

Desigo CC Advisory - This advisory discusses an out-of-bounds write vulnerability in the Siemens Desigo CC Product Family and SENTRON Powermanager.

COMOS Advisory - This advisory discusses six vulnerabilities in the Siemens COMOS plant engineering software.

NOTE: I briefly mentioned the original Siemens COMOS advisory on December 14^th, 2025. Today’s advisory is based upon this week’s second update of that advisory.

Polarion Advisory - This advisory describes a cross-site scripting vulnerability in the Siemens Polarion application lifecycle management (ALM) platform.

Updates

Mitsubishi Update - This update provides additional information on the Iconics Digital Solutions was originally published on May 20^th, 2026, and most recently updated January 8^th, 2026.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/10-advisories-and-1-update-published-de6 - subscription required.