CISA and the UK National Cyber Security Centre (NCSC-UK), in collaboration with federal and international partners, have released Secure Connectivity Principles for Operational Technology (OT) guidance to help asset owners address increasing business and regulatory pressures for connectivity into operational technology (OT) networks. This guidance outlines eight principles to use as a framework to design, Read more

View CSAF Summary Successful exploitation of this vulnerability could result in a denial-of-service condition. The following versions of Rockwell Automation 432ES-IG3 Series A are affected: 432ES-IG3 Series A (CVE-2025-9368) CVSS Vendor Equipment Vulnerabilities v3 7.5 Rockwell Automation Rockwell Automation 432ES-IG3 Series A Allocation of Resources Without Limits or Throttling Background Critical Infrastructure Sectors: Critical Manufacturing Read more

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to remotely control other users’ smart home devices, intercept sensitive data, and hijack sessions. The following versions of YoSmart YoLink Smart Hub are affected: YoSmart server (CVE-2025-59449, CVE-2025-59451) YoLink Smart Hub (CVE-2025-59452) YoLink Mobile Appication (CVE-2025-59448) CVSS Vendor Equipment Vulnerabilities v3 5.8 YoSmart Read more

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to perform unauthorized sensitive database operations. The following versions of Rockwell Automation FactoryTalk DataMosaix Private Cloud are affected: FactoryTalk DataMosaix Private Cloud (CVE-2025-12807) FactoryTalk DataMosaix Private Cloud (CVE-2025-12807) FactoryTalk DataMosaix Private Cloud (CVE-2025-12807) CVSS Vendor Equipment Vulnerabilities v3 8.8 Rockwell Automation Rockwell Automation Read more

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-20805 Microsoft Windows Information Disclosure Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk Read more

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.  CVE-2025-8110 Gogs Path Traversal Vulnerability  This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of Read more

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.  CVE-2009-0556 Microsoft Office PowerPoint Code Injection Vulnerability CVE-2025-37164 HPE OneView Code Injection Vulnerability  These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive Read more

View CSAF Summary Hitachi Energy is aware of a Jasper Report vulnerability that affects the Asset Suite product versions mentioned in this document below. This vulnerability can be exploited to carry out remote code execution (RCE) attack on the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation. The following versions Read more

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to redirect connections to an attacker controlled device, gain admin access to the web portal, or gain limited shell access. The following versions of Columbia Weather Systems MicroServer are affected: MicroServer firmware (CVE-2025-61939, CVE-2025-64305, CVE-2025-66620) CVSS Vendor Equipment Vulnerabilities v3 8.8 Columbia Weather Read more

View CSAF Summary Successful exploitation of these vulnerabilities could allow an authenticated attacker to read or modify a remote database. The following versions of Advantech WebAccess/SCADA are affected: WebAccess/SCADA (CVE-2025-14850, CVE-2025-14849, CVE-2025-14848, CVE-2025-46268, CVE-2025-67653) CVSS Vendor Equipment Vulnerabilities v3 8.8 Advantech Advantech WebAccess/SCADA Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Unrestricted Read more