Review – 6 Advisories and 1 Update Published – 4-23-26

 Today CISA’s NCCIC-ICS published six control system security advisories for products from Intrado, Hangzhou Xiongmai Technology Co, SpiceJet, Milesight, Carlson Software, and YADEA. There is also an update for an advisory for products from Schneider Electric. I also take a down-the-rabbit-hole look at a second Hangzhou vulnerability. 

Advisories  

Intrado Advisory - This advisory describes a path traversal vulnerability in the Intrado 911 Emergency Gateway. 

Hangzhou Advisory - This advisory describes a missing authentication for critical function vulnerability in the Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera. 

SpiceJet Advisory - This advisory describes two vulnerabilities in the SpiceJet Online Booking System. 

Milesight Advisory - This advisory describes five vulnerabilities in multiple Milesight Cameras. 

Carlson Advisory - This advisory describes a missing authentication for critical function vulnerability in the Carlson Software VASCO-B GNSS Receiver. 

Yadea Advisory - This advisory describes a weak authentication vulnerability in the Yadea T5 Electric Bicycle. 

Updates  

Schneider Update - This update provides additional information on the Modicon Controllers advisory that was originally published on April 23rd, 2026. 

For more information on these advisories, including a down-the-rabbit-hole look at an additional Hangzhou vulnerability, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-1-update-published-6ff - subscription required.