Cyber & Coffee

Our news

  • Siemens SINEC OS

    View CSAF Summary SINEC OS before V3.3 contains third-party components with multiple vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens SINEC OS are affected: RUGGEDCOM RST2428P (6GK6242-6PA00) vers:intdot/<3.3 (CVE-2022-48174, CVE-2023-7256, CVE-2023-39810, CVE-2023-42363, CVE-2023-42364, CVE-2023-42365, CVE-2023-42366, CVE-2024-6197, CVE-2024-6874, CVE-2024-7264, CVE-2024-8006, CVE-2024-8096,

    READ MORE

  • Siemens Siveillance Video Management Servers

    View CSAF Summary The Webhooks implementation of Siveillance Video Management Servers contains a vulnerability that could allow an authenticated remote attacker with read-only privileges to achieve full access to Webhooks API. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens Siveillance Video

    READ MORE

  • Siemens SINEC NMS

    View CSAF Summary Multiple Siemens products are affected by two local privilege escalation vulnerabilities which could allow an low privileged attacker to load malicious DLLs, potentially leading to arbitrary code execution with elevated privileges. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of

    READ MORE

  • ZLAN Information Technology Co. ZLAN5143D

    View CSAF Summary Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication, or resetting the device password. The following versions of ZLAN Information Technology Co. ZLAN5143D are affected: ZLAN5143D v1.600 (CVE-2026-25084, CVE-2026-24789) CVSS Vendor Equipment Vulnerabilities v3 9.8 ZLAN Information Technology Co. ZLAN Information Technology Co. ZLAN5143D Missing Authentication for Critical Function

    READ MORE

  • ​​Barriers to Secure OT Communication: Why Johnny Can’t Authenticate​

    CISA released the guidance, Barriers to Secure OT Communication: Why Johnny Can’t Authenticate, which highlights the known issues with insecure-by-design legacy industrial protocols and seeks to understand why the technology to secure these protocols is not widely adopted. CISA developed this guidance in partnership with operational technology (OT) equipment manufacturers and standard development organizations, by

    READ MORE

  • ZOLL ePCR IOS Mobile Application

    View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to protected health information (PHI) or device telemetry. The following versions of ZOLL ePCR IOS Mobile Application are affected: ePCR IOS Mobile Application 2.6.7 (CVE-2025-12699) CVSS Vendor Equipment Vulnerabilities v3 5.5 ZOLL ZOLL ePCR IOS Mobile Application Insertion of

    READ MORE

  • CISA Adds Six Known Exploited Vulnerabilities to Catalog

    CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.  CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability CVE-2026-21525

    READ MORE

  • AVEVA PI Data Archive

    View CSAF Summary Successful exploitation of this vulnerability could result in a denial-of-service condition. The following versions of AVEVA PI Data Archive are affected: PI Data Archive PI Server <=2018_SP3_Patch_7 (CVE-2026-1507) PI Data Archive PI Server 2023 (CVE-2026-1507) PI Data Archive PI Server 2023_Patch_1 (CVE-2026-1507) PI Data Archive PI Server 2024 (CVE-2026-1507) CVSS Vendor Equipment

    READ MORE

  • AVEVA PI to CONNECT Agent

    View CSAF Summary Successful exploitation of this vulnerability could result in an unauthorized access to the proxy server. The following versions of AVEVA PI to CONNECT Agent are affected: PI to CONNECT Agent <=v2.4.2520 (CVE-2026-1495) CVSS Vendor Equipment Vulnerabilities v3 6.5 AVEVA AVEVA PI to CONNECT Agent Insertion of Sensitive Information into Log File Background

    READ MORE

  • Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps

    The purpose of this Alert is to amplify Poland’s Computer Emergency Response Team (CERT Polska’s) Energy Sector Incident Report published on Jan. 30, 2026, and highlight key mitigations for Energy Sector stakeholders.  In December 2025, a malicious cyber actor(s) targeted and compromised operational technology (OT) and industrial control systems (ICS) in Poland’s Energy Sector—specifically renewable

    READ MORE