Review - Public ICS Disclosures – Week of 4-18-26 – Part 2

 For Part 2 we have three additional vendor disclosures from Pilz, SEMTECH, and VEGA. There are six vendor updates from HPE, Mitsubishi (2), and Moxa (3). We also have a researcher report for vulnerabilities in products from Lantronix and Silex. Finally, we have two exploits for products from FortiGuard. 

Advisories  

Pilz Advisory - CERT-VDE published an advisory that discusses an insecure default initialization of resource vulnerability (with publicly available exploits) in the Pilz PASvisu Runtime. 

SEMTECH Advisory - SEMTECH published an advisory that describes three vulnerabilities in their LR11xx transceivers. 

VEGA Advisory - CERT-VDE published an advisory that describes a missing authentication for critical function vulnerability in the VEGA VEGAPULS 6X product. 

Updates  

HPE Update - HPE published an update for their Aruba Networking advisory that was originally published on January 13th, 2026, and most recently updated on January 27th, 2026. 

Mitsubishi Update #1 - Mitsubishi published an update for their MELSEC iQ-F Series advisory that was originally published on March 3rd, 2026. 

Mitsubishi Update #2 - Mitsubishi published an update for their Ethernet Function advisory that was originally published on April 25th, 2026, and most recently updated on February 3rd, 2026. 

Moxa Update #1 - Moxa published an update for their Ethernet Switch advisory that was originally published on October 23rd, 2025 and most recently updated on October 31st, 2025. 

Moxa Update #2 - Moxa published an update for their SSH Weak Algorithms advisory that was originally published on December 12th, 2025. 

Moxa Update #3 - Moxa published an update for their ICMP Timestamp Request advisory that was originally published on October 21st, 2025, and most recently updated on January 5th, 2026. 

Researcher Reports  

Lantronix Report - Forescout published a report that described eight vulnerabilities in the Lantronix EDS3000PS and EDS5000PS Series serial device servers. 

Silex Report - Forescout published a report that describes 12 vulnerabilities in the Silex D330-AC serial device server. 

Exploits  

FortiGuard Exploit #1 - Ashraf Zaryouh published an exploit for an OS command injection vulnerability in the FortiGuard FortiSandbox product. 

FortiGuard Exploit #2 - Indoushka published an exploit for a relative path traversal vulnerability (which is listed in CISA’s KEV catalog) in the FortiGuard FortiWeb product. 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-4b8 - subscription required.