3 Advisories and 2 Updates Published – 2-24-26
Today CISA’s NCCIC-ICS published three control system security advisories for products from Gardyn, Schneider Electric, and InSAT. They also updated two advisories for products from Mitsubishi.
Gardyn Advisory
This advisory describes four vulnerabilities in the Gardyn Home Kit product line. The vulnerabilities were reported to CISA by Michael Groberman [added link 2-24-26 19:10 per X message from Michael]. Gardyn has a new firmware version that mitigates the vulnerability and the vulnerabilities have been fixed on the mobile app backend.
The four reported vulnerabilities are:
Improper authorization - CVE-2025-71242,
Code injection (2) - CVE-2025-29631 and CVE-2025-29629, and
Command injection - CVE-2025-29628.
NCCIC-ICS reports that successful exploitation of these vulnerabilities could allow unauthenticated users to access and control edge devices, access cloud-based devices and user information without authentication, and pivot to other edge devices managed in the Gardyn cloud environment.
Schneider Advisory
This advisory describes two vulnerabilities in the Schneider EcoStruxure Building Operation Workstation. The vulnerabilities were reported separately by Pentest Limited and Robin Plugge. Schneider has new versions that mitigate the vulnerabilities.
The two reported vulnerabilities are:
Improper restriction of XML external entity reference - CVE-2026-1227, and
Code injection - CVE-2026-1226.
The Schneider advisory reports that failure to the listed remediations may risk exposure of local files or denial of service, which could result in data breaches, and operational disruptions.
NOTE: I briefly discussed these vulnerabilities on February 14th, 2026
InSAT Advisory
This advisory describes two SQL injection vulnerabilities in the InSAT MasterSCADA BUK-TS. These vulnerabilities were reported to CISA by Adem El Adeb. CISA notes that: “InSAT has not responded to requests to work with CISA to mitigate these vulnerabilities.”
NCCIC-ICS reports that successful exploitation of these vulnerabilities may allow remote code execution.
Mitsubishi Update #1
This update provides additional information on the Iconics Digital Solutions advisory that was originally published on October 22nd, 2024, and most recently updated on January 8th, 2026. The new information includes changing mitigation description and updating product tree.
Mitsubishi Update # 2
This update provides additional information on the ICONICS Suite advisory that was originally published on July 26th, 2022, and most recently updated on January 15th, 2025. The new information includes updating CVE descriptions and updating to remediations.