CISA Adds Sierra Wireless Vulnerability to KEV – 12-12-25

Yesterday CISA announced that it had added an unrestricted upload of file with dangerous type vulnerability in the Sierra Wireless AirLink ALEOS product to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerability was reported by Cisco Talos on April 15^th, 2019; the report included proof-of-concept code. Sierra Wireless published their advisory on the vulnerability (along with 12 others) on April 30^th, 2019. CISA published their advisory on the vulnerability (along with six others) on August 20^th, 2019, and most recently updated it on April 23, 2020.

CISA has required that Federal agencies that use the affected products to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” Those required actions are to be completed January 2^nd, 2026.

Review – CSB Updates Accidental Release Reporting Data – 12-1-25

On Thursday the CSB updated their published list of reported chemical release incidents. They added 58 new incidents that occurred since the previous version was published in July. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604) through November 30^th, 2025.

The table below shows the top five states based upon the number of reported incidents since the July update was published.

 

For more information on the data, including a listing of chemical incidents reported in the news that should have been reported to CSB, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-313 - subscription required.

Chemical Transportation Incidents – Week of 11-8-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

NOTE: PHMSA’s database is not currently allowing online downloads. I was able to request a copy of the week’s data directly from PHMSA. That is the reason for this late posting.

Incidents Summary

• Number of incidents – 486 (453 highway, 31 air, 2 rail, 0 water)

• Serious incidents – 4 (3 Bulk release, 0 evacuation, 1 injury, 0 death, 0 major artery closed, 2 fire/explosion, 30 no release)

• Largest container involved – 33,900-gal DOT 117J100W Railcar {Petroleum Gases, Liquefied or Liquefied Petroleum Gas} Vapor valve cracked open, plug not tool tight.

• Largest amount spilled – 250-gal Plastic IBC {Caustic Alkali Liquids, N.O.S.} Forklift strike.

• Total amount reported spilled in all incidents – 2174.4-gal

NOTE: Links to Form 5800.1 for the described incidents are not currently available online.

Most Interesting Chemical: Hydrofluoric Acid And Sulfuric Acid Mixtures: A clear colorless liquid with a pungent odor. Corrosive to metals and tissue. Exposure to the fumes or brief contact can cause severe burns as mixture penetrates to cause deep-seated ulceration that is sometimes complicated by gangrene. (Source: CameoChemicals.NOAA.gov).

 

Review – Public ICS Disclosures – Week of 12-6-25 – Part 1

This week we have bulk disclosures from FortiGuard (8), There are also 12 additional vendor disclosures from Cisco, Dell, Dassault Systems, Elecom, Endress+Hauser, Hitachi Energy (2), HP, HPE, Moxa, and NI (2).

Bulk Disclosures – FortiGuard

• Insertion of sensitive information into REST API logs,

• Insufficient Session Expiration in SSLVPN,

• Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypass,

• Multiple authenticated OS Command Injections via API,

• OS command injection in GUI backup options,

• OS command injection in multiple endpoints,

• Private key readable by admin, and

• Reflected XSS in HA cluster.

Advisories

Cisco Advisory - Cisco published an advisory that discusses the React Server Components deserialization of untrusted data vulnerability that is listed in CISA’s Known Exploited Vulnerabilities catalog.

Dell Advisory - Dell published an advisory that discusses 30 vulnerabilities. All but three of these are third-party vulnerabilities.

Dassault Advisory - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Elecom Advisory - JP CERT published an advisory that describes an unquoted search path vulnerability in the Elecom Clone for Windows.

Endress+Hauser Advisory - CERT-VDE published an advisory that discusses an out-of-bounds write vulnerability in multiple Endress+Hauser products.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses a deserialization of untrusted data vulnerability in their Asset Suite product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses the React Server Component deserialization of untrusted data vulnerability that is listed in CISA’s KEV catalog.

HP Advisory - HP published an advisory that describes a path traversal vulnerability in their  Event Utility and Omen Gaming Hub products.

HPE Advisory - HPE published an advisory that discusses ten vulnerabilities in their ProLiant DL/ML/XD Alletra and Synergy Servers.

Moxa Advisory - Moxa published an advisory that describes two vulnerabilities in their MXsecurity Series products.

NI Advisory #1 - NI published an advisory that describes nine vulnerabilities in their LabVIEW product.

NI Advisory #2 - NI published an advisory that describes a relative path traversal vulnerability in their System Web Server.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-c5d - subscription required.

Chemical Transportation Incidents – Week of 11-8-25

Unfortunately, the download function of the PHMSA HazmatIncident Report Search Portal “has been temporarily disabled”. I have a request in to PHMSA to provide the data that I need to write this blog post, but I have no idea if/when that data will be forthcoming. I expect to publish this post when I can.

Review – Bills Introduced – 12-11-25

Yesterday, with both the House and Senate in Washington, there were 128 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 6630 To direct the Department of Defense to carry out an initiative to understand and address occupational resiliency challenges of the Cyber Mission Force. Elfreth, Sarah [Rep.-D-MD-3]

HR 6631 To require the Secretary of Defense to establish a program for the development of cybersecurity education at academic institutions, and for other purposes. Elfreth, Sarah [Rep.-D-MD-3]

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

HR 6638 To require a report on merits and options for establishing an institute relating to space resources, and for other purposes. Foushee, Valerie P. [Rep.-D-NC-4]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-12-11-25 - subscription required.

OMB Approves BIS Bio-Lab Equipment Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Control of Laboratory Equipment and Related Technology and Software”. This would be the final action on an interim final rule that was published on January 16^th, 2025. This final rule was sent to OIRA on September 23^rd, 2025.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“The Bureau of Industry and Security (BIS) is finalizing revisions to an interim final rule published in January 2025 which amended the Export Administration Regulations (EAR) to address the accelerating development and deployment of advanced biotechnology tools contrary to U.S. national security and foreign policy interests.”

I probably will not be covering this final rule in any detail when it is published next week, but I will at least mention it in the appropriate Short Takes post when it is published.