CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-14847 MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability  This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.    Binding Operational Directive (BOD) Read more

View CSAF Summary Successful exploitation of these vulnerabilities could allow an authenticated attacker to read or modify a remote database. The following versions of Advantech WebAccess/SCADA are affected: WebAccess/SCADA (CVE-2025-14850, CVE-2025-14849, CVE-2025-14848, CVE-2025-46268, CVE-2025-67653) CVSS Vendor Equipment Vulnerabilities v3 8.8 Advantech Advantech WebAccess/SCADA Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Unrestricted Read more

CISA released two Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.  ICSA-25-364-01: WHILL C2 Wheelchairs ICSA-25-345-03: AzeoTech DAQFactory (Update A)  CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations.  Read more

CISA released one Industrial Control Systems (ICS) Advisory. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.  ICSA-25-177-01 Mitsubishi Electric Air Conditioning Systems (Update B) CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations. Read more

The Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) have released an initial draft of Interagency Report (IR) 8597 Protecting Tokens and Assertions from Forgery, Theft, and Misuse for public comment through January 30, 2026. This report is in response to Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity Read more

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2023-52163 Digiever DS-2105 Pro Missing Authorization Vulnerability  This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.    Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk Read more

View CSAF Summary Successful exploitation of these vulnerabilities could result in a denial-of-service condition. The following versions of Rockwell Automation Micro820, Micro850, Micro870 are affected: Micro820 (CVE-2025-13823, CVE-2025-13824) CVSS Vendor Equipment Vulnerabilities v3 7.5 Rockwell Automation Rockwell Automation Micro820, Micro850, Micro870 Dependency on Vulnerable Third-Party Component, Release of Invalid Pointer or Reference Background Critical Infrastructure Read more

View CSAF Summary Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code, executing a man-in-middle style attack, or bypass authentication. The following versions of Axis Communications Camera Station Pro, Camera Station, and Device Manager are affected: AXIS Camera Station Pro (CVE-2025-30023, CVE-2025-30025, CVE-2025-30026) AXIS Camera Station (CVE-2025-30023, CVE-2025-30025, CVE-2025-30026) AXIS Device Read more

View CSAF Summary Successful exploitation of this vulnerability could result in denial-of-service (DoS), information tampering, and information disclosure. The following versions of Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electrics Products are affected: GENESIS64 (CVE-2025-11774) ICONICS Suite (CVE-2025-11774) MobileHMI (CVE-2025-11774) MC Works64 (CVE-2025-11774) CVSS Vendor Equipment Vulnerabilities v3 8.2 Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Read more

View CSAF Summary Multiple Industrial products are affected by a vulnerability in the Interniche IP-Stack. The affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range. This could allow an unauthenticated remote attacker e.g. to interfere with connection setup, potentially leading to a denial of Read more