CyberAv3ngers Target Unitronics, Federal Signal, and Genmark Siren Controllers in Psychological Warfare Campaign
The IRGC-linked threat actor CyberAv3ngers is executing a targeted campaign against critical infrastructure, specifically exploiting internet-facing Unitronics Vision PLCs, Federal Signal, and Genmark siren controllers. By leveraging weak or default credentials and unauthorized access to Human-Machine Interfaces (HMIs), the group manipulates emergency alert protocols and public warning systems. This shift from technical sabotage to "cyber-psychological warfare" aims to trigger mass public panic and erode societal trust in civil safety mechanisms. The campaign serves as a non-kinetic extension of regional geopolitical tensions, requiring urgent hardening of OT network segmentation and credential management to prevent mass societal destabilization.
Critical OS Command Injection in Lantronix EDS5000 Series
CVE-2025-67038 is a critical OS command injection vulnerability affecting Lantronix EDS5000 series serial-to-Ethernet device servers. An unauthenticated remote attacker can achieve root-level system compromise by injecting arbitrary shell commands via the username parameter. With a CVSS score of 9.8 and confirmed active exploitation in the wild, the flaw enables full device takeover and potential lateral movement into sensitive industrial or management networks. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal remediation by June 26, 2026.
NCSC: Strategic Prepositioning and Kinetic Readiness in UK Critical National Infrastructure CNI
The National Cyber Security Centre (NCSC) has identified a strategic shift by state-sponsored actors targeting UK Critical National Infrastructure (CNI), transitioning from opportunistic espionage to "prepositioning" for future kinetic sabotage. Adversaries are utilizing Living-off-the-Land (LotL) techniques and targeting OT/ICS environments to maintain stealthy, long-term persistence. The attack surface has expanded to include the Defense Industrial Base (DIB) via compromised third-party Managed Service Providers (MSPs) and software update mechanisms. With 75% of CNI attacks attributed to nation-states, these operations aim to establish dormant access for physical disruption during geopolitical conflict, with AI-driven automated exploitation expected to scale these capabilities by 2028.
Iran-Linked MuddyWater Actors Compromising Rockwell Automation PLCs in U.S. Critical Infrastructure
Iranian state-sponsored group MuddyWater, affiliated with the Ministry of Intelligence and Security, is actively targeting U.S. critical infrastructure by exploiting internet-exposed Rockwell Automation Programmable Logic Controllers (PLCs). The attackers leverage these exposed OT interfaces to deploy SSH backdoors for persistent access. Once established, they manipulate SCADA display data to deceive industrial operators, masking the actual state of physical processes within the water, energy, and government sectors. This activity, detailed in CISA/FBI Joint Advisory AA26-097A, represents a direct effort to facilitate operational disruptions through the manipulation of Industrial Control Systems (ICS).
Cyberattack Disrupts Mackay Sugar Operations
Around June 10, 2026, a cybersecurity incident targeted Mackay Sugar, Australia's second-largest raw sugar producer, causing the immediate shutdown of the Farleigh and Racecourse milling facilities in Queensland. The attack disrupted critical operational technology (OT) and logistics systems, forcing the isolation of industrial control systems and the suspension of cane haulage and harvesting activities. This interruption occurred at the onset of the annual crushing season, impacting approximately 1,300 supplying farms and threatening regional agricultural output and supply chain stability.
Exploitation of Automatic Tank Gauge ATG Systems in Critical Infrastructure
A coordinated campaign is targeting Automatic Tank Gauge (ATG) systems across the U.S. energy sector, exploiting vulnerabilities in Modbus and proprietary serial-to-IP communication protocols. Attackers are leveraging insecure remote access gateways, such as cellular modems and VPNs, and exploiting hardcoded credentials or unauthenticated interfaces to gain unauthorized access. By injecting commands or spoofing telemetry data, actors can manipulate liquid level and pressure readings, potentially masking containment leaks or triggering false-positive emergency shutdowns. The lack of network segmentation between IT corporate environments and OT tank consoles facilitates lateral movement, creating significant risks of environmental contamination and fuel supply chain instability.
Critical OT Vulnerabilities in Vertiv and Trane Data Center Infrastructure
Integration of Operational Technology (OT) into data center environments has introduced critical vulnerabilities within Vertiv and Trane UPS and HVAC systems. Attackers can exploit weaknesses in industrial protocols such as Modbus, BACnet, and SNMP, alongside insecure remote management interfaces and flawed firmware integrity checks. Successful exploitation enables unauthorized privilege escalation and manipulation of environmental controls or power distribution. This creates a high risk of thermal runaway, physical hardware destruction, and total facility outages, potentially cascading into municipal energy grid instability and significant SLA breaches for cloud and enterprise service providers.
CISA ICS Security Advisories: Vulnerabilities in ABB, Siemens, ZKTeco, and Kieback & Peter Systems
Between May 18 and May 24, 2026, CISA and the CCCS released a massive series of ICS/OT security advisories detailing critical vulnerabilities in industrial automation, energy, and building management systems. The research identifies significant flaws, including Remote Code Execution (RCE), Authentication Bypass, Buffer Overflows, and Denial of Service (DoS), affecting hardware from ABB, Siemens, Hitachi Energy, ZKTeco, and Kieback & Peter. Exploitation vectors include network-level access to industrial protocols and firmware, posing risks of unauthorized physical surveillance via ZKTeco, safety compromises in Kieback & Peter controllers, and kinetic impacts in ABB B&R automation environments. Immediate remediation via vendor-provided patches and firmware updates is essential to prevent widespread OT downtime.
US Congress Probes AI-Driven Cyber-Physical Threats to Critical Infrastructure
The US House Homeland Security Subcommittee is investigating the escalation of AI-driven cyber-physical threats targeting critical infrastructure. Adversaries are deploying agentic AI to automate vulnerability discovery and execute autonomous attack chains, drastically reducing the time-to-exploit for ICS/OT environments to under 24 hours. Technical vectors include AI-generated polymorphic malware that bypasses signature-based EDR and deepfake-driven authentication bypass targeting critical personnel. These capabilities enable the transition from data exfiltration to kinetic disruption of power grids and water systems. Legislative efforts, specifically the "Great American AI Act" (Obernolte-Trahan), seek to establish federal guardrails and a new Center for AI Standards and Innovation (CAISI) to counter these rapid-cycle exploitation threats.