Review – 6 Advisories and 2 Updates Published – 4-30-26

Today CISA’s NCCIC-ICS published six control system security advisories for products from ABB. They also updated two advisories for products from Mitsubishi. 

I would like to remind folks that the Department of Homeland Security (including, of course, CISA’s NCCIC-ICS, the authors of these advisories) has still not been funded for FY 2026 operations since January. The Administration has repurposed funds (that were previously allocated for other uses passed September 30th, 2025) into paychecks for the people still working during this ‘limited shutdown’. Those funds have been expected to run out on or about May 1st. CISA’s cybersecurity operations are expected to continue; paychecks probably not until Congress works out this fiasco. 

Advisories  

Ability Symphony Advisory - This advisory discusses four vulnerabilities in the ABB Ability Symphony Plus Engineering product. 

AWIN Advisory - This advisory describes three vulnerabilities in the ABB AWIN Gateways products. 

Ability OPTIMAX Advisory - This advisory describes an incorrect implementation of authentication algorithm vulnerability in the ABB Ability OPTIMAX products. 

Edgenius Advisory - This advisory describes an authentication bypass using an alternate path or channel vulnerability in the ABB Edgenius Management Portal. 

PCM600 Advisory - This advisory discusses the Zip-Slip vulnerability in the ABB PCM600 product. 

System 800xA Advisory - This advisory describes an improper validation of specified quantity in input vulnerability in the ABB System 800xA, and Symphony Plus IEC 61850 products. 

Updates  

FA Products Update - This update provides additional information on the FA Products advisory that was originally published on April 25th, 2025, and most recently updated on February 3rd, 2026. 

MELSEC iQ-F Series Update - This update provides additional information on the MELSEC iQ-F Series advisory that was originally published on March 3rd, 2026. 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-2-updates-published-cc0 - subscription required.