Review – Public ICS Disclosures – Week of 1-31-26 – Part 2

For Part 2 we have four additional vendor disclosures from Sick (3) and Zyxel. There are seven vendor updates from Broadcom (3), ELECOM (2), HPE, and Moxa. Finally, we have an exploit for products from MySCADA.

Advisories

Sick Advisory #1 - Sick published an advisory that describes 15 vulnerabilities in their TDC-X401GL telematic data collector.

Sick Advisory #2 - Sick published an advisory that describes 12 vulnerabilities
(one with publicly available exploit) in their Incoming Goods Suite.

Sick Advisory #3 - Sick published an advisory that discusses an out-of-bounds read vulnerability in their nanoScan3 and microScan3 products.

Zyxel Advisory - Zyxel published an advisory that describes an OS command injection vulnerability in their ZLD firewalls.

Updates

Broadcom Update #1 - Broadcom published an update for their Brocade Fabric advisory that was originally published on January 27^th, 2026.

Broadcom Update #2 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on January 27^th, 2026.

Broadcom Update #3 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on January 27^th, 2026.

ELECOM Update #1 - JPCERT published an update for their ELECOM wireless LAN routers advisory that was originally published on August 27^th, 2024, and most recently updated on February 12^th, 2025.

ELECOM Update #2 - JPCERT published an update for their ELECOM wireless LAN routers advisory that was originally published on March 26^th, 2024, and most recently updated on November 26^th, 2024.

HPE Update - HPE published an update for their HPE ProLiant DL/ML/XD, Alletra, and Synergy Servers advisory that was originally published on December 12^th, 2025, and most recently updated on January 5^th, 2026.

Moxa Update - Moxa published an update for their Diffie-Hellman Key Exchange Protocol advisory that was originally published on June 2^nd, 2025, and most recently updated on January 5^th, 2026.

Exploits

MySCADA Exploit - Indoushka published an exploit for an OS command injection vulnerability in the MySCADA MyPRO Manager product.

Chemical Incident Reporting – Week of 1-31-26

NOTE: See here for series background.

Forest Park, GA  – 1-15-26

Local News Report: Here, here, and here.

There was a fire at a chemical manufacturing facility due to an upset condition in a reaction vessel. There was a brief evacuation order for the facility and shelter-in-place for the surrounding neighborhood. No injuries reported, no discussion about damages.

Not CSB reportable.

Skaneateles, NY– 1-21-26

Local News Report: Here, here, here, and here.

There was a minor chlorine leak at a water treatment plant in a pipe. The facility was evacuated pending closure of the valve leading to the area of the leak. No injuries were reported.

Not CSB reportable.

Washington County, PA – 1-30-26

Local News Report: Here, here, here, and here.

There was an explosion at a metal treating facility during chemical unloading operations. Five people were sent to the hospital; all have been released. There have been no discussions of damages at the facility. The last article reported that “magnesium-chloride” was unloaded into a tank containing hydrogen peroxide.

Probably not CSB reportable.

Russellville, AR – 2-4-26

Local News Report: Here, here, here, and here.

There was a truck rollover incident involving a tanker carrying ‘ammonia hydroxide’. Photo here. There was no chemical leak from the truck, but local businesses were evacuated as a precaution. Interestingly, the local fire departments Facebook site reports that the incident involved ‘anhydrous ammonia’ not ammonium hydroxide.

Not CSB reportable, this was a transportation related accident.

Short Takes – 2-7-26 – Federal Register Edition

Requests for Comments; Clearance of a Renewed Approval of Information Collection: Small Unmanned Aircraft Registration System; Correction. Federal Register FAA ICR correction notice. Summary: “On January 29, 2026, FAA published a notice and request for comments titled “Agency Information Collection Activities: Requests for Comments; Clearance of a Renewed Approval of Information Collection: Small Unmanned Aircraft Registration System”. That notice and request for comments incorrectly stated the docket number. This notice corrects the docket number.”

NHTSA Automated Vehicle Safety Public Meeting: March 2026. Federal Register NHTSA meeting notice. Summary: “The National Highway Traffic Safety Administration (NHTSA) will hold a public meeting on March 10, 2026. The event will provide updates and insights into ongoing vehicle automation activities across NHTSA. The meeting will be held in-person and will feature keynote addresses from the DOT leadership and industry executive panel discussions on key Automated Driving Systems (ADS) topics in the morning. The second portion of the meeting will build upon the ADS workshop held November 20, 2025. NHTSA gleaned valuable information from stakeholders on various topics. In this subsequent meeting, NHTSA intends to gather specific input on potential actions, including potential future guidance to the safe domestic development, testing and deployment of ADS equipped vehicles. NHTSA intends to utilize stakeholder input to better inform the agency's upcoming activities. The event will not be live streamed.”

Regulatory Issue Summary: Personnel Access Authorization Requirements for Non-Immigrant Foreign Nationals Working at Nuclear Power Plants. Federal Register NRC guidance notice. Summary: “The U.S. Nuclear Regulatory Commission (NRC) is issuing Regulatory Issue Summary (RIS) 2026-01, “Personnel Access Authorization Requirements For Non-Immigrant Foreign Nationals Working At Nuclear Power Plants,” to remind licensees of the NRC requirement that prior to granting or reinstating unescorted access (UA) or certifying unescorted access authorization (UAA) to non-immigrant foreign nationals for the purpose of performing work, licensees shall validate that the foreign national's claimed non immigration status is correct.”

Pipeline Safety: Request for Special Permit. Federal Register PHMSA special permit request. Summary: “The REX Pipeline was constructed under waiver Docket No. PHMSA-2006-23998 as an AMAOP pipeline before the AMAOP regulations under § 192.620 were promulgated. Another special permit under Docket No. PHMSA PHMSA-2022-0044 was later issued to allow for a waiver of class location change requirements under 49 CFR 192.611 for segments originally operated under the 2006 waiver; 49 CFR 192.620(c)(8) allows a Class 1 and Class 2 location to be upgraded one class due to class location changes. This special permit is proposed to supersede and replace both previous special permits to create a unified and consistent approach to pipeline safety, operations, and compliance by aligning the regulatory framework applicable to the REX Pipeline with existing Federal regulations.”

Review – Public ICS Disclosures – Week of 1-31-26 – Part 1

This week we have a moderately busy disclosure week. For Part 1 there nine are vendor disclosures from Cisco, Delta Electronics, Eaton, ELECOM (2), HP, Moxa (2), and Pilz.

Advisories

Cisco Advisory - Cisco published an advisory that describes a use of hard-coded credentials vulnerability in their Prime Infrastructure product.

Delta Advisory - Delta published an advisory that describes a stack-based buffer overflow vulnerability in their ASDA-Soft product.

Eaton Advisory - Eaton published an advisory that describes two improper certificate validation vulnerabilities in their Network Cards products.

ELECOM Advisory #1 - JPCERT published an advisory that describes five vulnerabilities in multiple ELECOM wireless LAN routers.

ELECOM Advisory #2 - JPCERT published an advisory that describes four vulnerabilities in multiple ELECOM wireless LAN products.

HP Advisory - HP published an advisory that discusses 287 vulnerabilities in their ThinPro products.

Moxa Advisory #1 - Moxa published an advisory that describes two vulnerabilities in the industrial computers.

Moxa Advisory #2 - Moxa published an advisory that describes a reliance on security through obscurity vulnerability in their Ethernet Switches.

Pilz Advisory - CERT-VDE published an advisory that discusses four vulnerabilities in the Pilz PIT User Authentication Service.

 

For more information on these disclosures, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-844 - subscription required.

Review – Bills Introduced – 2-5-26

Yesterday with just the Senate in Washington, and the House meeting in pro forma session, there were 55 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7390 SELF DRIVE Act of 2026 Latta, Robert E. [Rep.-R-OH-5]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention-in-passing of a bill requiring a study of power transmission lines on highway and rail rights of way, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-5-26 - subscription required.

Short Takes – 2-6-26 – Federal Register Edition

The Hazardous Waste Electronic Manifest System (“e-Manifest”) Advisory Board: Request for Nominations. Federal Register EPA notice. Summary: “The U.S. Environmental Protection Agency (EPA) invites the public to nominate experts in Information Technology (IT) to be considered for a three-year membership appointment to the Hazardous Waste Electronic Manifest System (“e-Manifest”) Advisory Board (the “Board”). Pursuant to the Hazardous Waste Electronic Manifest Establishment Act (the “e-Manifest Act” or the “Act”), EPA has established the Board to provide practical and independent advice, consultation, and recommendations to the EPA Administrator on the activities, functions, policies, and regulations associated with the Hazardous Waste Electronic Manifest (e-Manifest) System. In accordance with the e-Manifest Act, the EPA Administrator or designee will serve as Chair of the Board. This document solicits nominations for possible consideration of candidates to potentially fill a vacancy on the Board to serve as an IT expert for a three-year appointment. EPA may also consider nominations received through this solicitation to fill any unanticipated future vacancies on the Board for the following positions including an industry representative member with experience in using or representing users of the manifest system; and a state representative member responsible for processing manifests.” Nominations should be received by March 9^th, 2026.

Implementation of the Executive Order Entitled “Zero-Based Regulatory Budgeting To Unleash American Energy”; Correction. Federal Register DOE CFR correction amendment. Summary: “The Federal Energy Regulatory Commission (FERC) published a direct final rule [link added] in the Federal Register of October 21, 2025, revising its regulations to insert a conditional sunset date into certain regulations in response to Executive Order 14270, “Zero-Based Regulatory Budgeting to Unleash American Energy.” The document contained an error. This document corrects the regulations.” Note: This correction removes 18 CFR 157.202(2)(ii)(H), which was added here, but was not discussed in preamble.

EO 14381 - Celebrating American Greatness with American Motor Racing. Federal Register.

Review – 6 Advisories and 4 Updates Published – 2-5-26

Today CISA’s NCCIC-ICS published six control system security advisories for products from Hitachi Energy (2), Ilevia, 06 Automation, Mitsubishi, and TP-Link. They also updated advisories for products from KiloView, Multiple India-based Vendors, Hitachi Energy, and Mitsubishi.

Advisories

Hitachi Energy Advisory #1 - This advisory discusses the BlastRadius.Fail vulnerability in their FOX61x product.

NOTE: I briefly discussed the vulnerability on January 31^st, 2026.

Hitachi Energy Advisory #2 - This advisory discusses the BlastRadius.Fail vulnerability in their FOX61x product.

Ilevia Advisory - This advisory describes nine vulnerabilities (each with publicly available exploits) in the Ilevia EVE X1 Server.

06 Automation Advisory - This advisory describes an out-of-bounds write vulnerability in their Open62541 OPC UA stack.

Mitsubishi Advisory - This advisory describes an improper validation of specified quantity in input vulnerability in the MELSEC iQ-R Series products.

TP-Link Advisory - This advisory describes an improper authentication vulnerability in the TP-Link VIGI Series IP Cameras.

Updates

KiloView Update - This update provides additional information on the Encoder Series advisory that was originally published on January 29^th, 2025.

NOTE: The original advisory was a “has not responded to requests to work with CISA” advisory.

India Based Update - This update provides additional information on the CCTV Cameras advisory that was originally published on December 9^th, 2025.

NOTE: The original advisory was a “has not responded to requests to work with CISA” advisory.

Hitachi Energy Update - This update provides additional information on the Relion 670/650 advisory that was originally published on July 3^rd, 2025, and most recently updated on January 22^nd, 2026 (CISA advisory dates, not the Hitachi Energy dates listed in the ‘Revision History’).

NOTE: I briefly reported the updated information on February 1^st, 2026.

Mitsubishi Update - This update provides additional information on the MELSOFT Update Manager advisory that was originally published on July 3^rd, 2025, and most recently updated on January 20^th, 2026.

NOTE: CVE-2025-0411, listed as a third-party vulnerability in this advisory, was listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog today (listed on “February 6^th, 2026”?).

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-4-updates-published - subscription required.