Public ICS Disclosures – Week of 2-21-26 - Part 1

We have a busy disclosure week. For Part 1 we have 17 vendor disclosures from ABB (2), Dell, Festo, Fujitsu, Hitachi (2), Hitachi Energy (3), HP (2), HPE (3), Sick, and Supermicro.

I ran into an interesting researcher report, 100+ Kernel Bugs in 30 Days, today while looking into the Fujitsu advisory below. The report by Yaron Dinkin and Eyal Kraft talks about their research using AI to identify zero-day vulnerabilities in various Windows kernel drivers. They built a system that “scrapes drivers from all over the internet, catalogs and labels them, decompiles them, and uses agent swarms to identify memory corruption vulnerabilities”. They looked at 1,873 binaries and identified 521 potential vulnerabilities. The Fujitsu vulnerability is the first publicly reported because Fujitsu is the first vendor to respond to the authors. This is going to be interesting.

ABB Advisories

ABB published an advisory that discusses an insecure default initialization of resource vulnerability in their Automation Builder product. This is a third-party (CODESYS) vulnerability. ABB has a new version that mitigates the vulnerability.

ABB published an advisory that discusses three vulnerabilities in their AC500 V3 products. These are third-party (CODESYS) vulnerabilities. ABB has a new version that mitigates the vulnerability.

The three reported vulnerabilities are:

• Forced browsing - CVE-2025-2595,

• Incorrect permission assignment for critical function - CVE-2025-41659, and

• NULL pointer dereference - CVE-2025-41691.

Dell Advisory

Dell published an advisory that describes four vulnerabilities in their Wyse Management Suite. Two of the vulnerabilities were reported by Alexander Zhurnakov of Positive Technologies. Dell has a new version that mitigates the vulnerabilities.

The four reported vulnerabilities are:

• Missing authorization - CVE-2026-22765,

• Unrestricted upload of file with dangerous type - CVE-2026-22766,

• Cross-site scripting CVE-2026-23858, and

• Client-side enforcement of server-side security - CVE-2026-23859

Festo Advisory

CERT-VDE published an advisory that 126 vulnerabilities in the Festo Automation Suite product. These are third-party (CODESYS) vulnerabilities. Festo recommend updating the CODESYS product. The advisory explains that:

“Starting with Festo Automation Suite (FAS) version 2.8.0.138, the suite is delivered only with a connector to Codesys, rather than including Codesys directly. Prior to this version, Codesys was bundled within the FAS installation. From version 2.8.0.138 onwards, customers are required to download and install Codesys independently.”

Fujitsu Advisory

JP-CERT published an advisory that describes an out-of-bounds write vulnerability in the Fujitsu Fujitsu BIOS Driver. The vulnerability was reported by Yaron Dinkin and Eyal Kraft. Fujitsu has a new firmware version that mitigates the vulnerability.

NOTE: This Fujitsu vulnerability was one of 100+ vulnerabilities in kernel drivers from various vendors identified by Dinkin-Kraft in their report. They note that Fujitsu is the only vendor to date that has responded to their coordinated disclosure. This article is well worth a read.

Hitachi Advisories

Hitachi published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Configuration Manager and Ops Center API Configuration Manager products. Hitachi has new versions that mitigate the vulnerability.

Hitachi published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Configuration Manager and Ops Center API Configuration Manager products. Hitachi has new versions that mitigate the vulnerability.

Hitachi Energy Advisories

Hitachi Energy published an advisory that describes four vulnerabilities in their RTU500 series CMU Firmware. Two of the vulnerabilities are third-party (libexpat) vulnerabilities. Hitachi Energy has new versions for three of the affected products, the other two have releases planned.

The four reported vulnerabilities are:

• Improper handling in insufficient permissions or privileges - CVE-2026-1772,

• Incomplete list of disallowed inputs - CVE-2026-1773,

• Uncontrolled recursion - CVE-2024-8176, and

• Allocation of resources without limit or throttling - CVE-2025-59375 (exploit)

Hitachi Energy published an advisory that describes two vulnerabilities in their Relion REB500 product. Hitachi Energy has a new version that mitigates the vulnerability.

Hitachi Energy published an advisory that discusses a deserialization of untrusted data vulnerability in their Ellipse product. This is a third-party (Jasper) vulnerability. Hitachi Energy provides generic mitigation measures pending development of a fix by Jasper.

HP Advisories

HP published an advisory that discusses four vulnerabilities in their LaserJet Enterprise and LaserJet Managed Printers. These are third-party (libexpat) vulnerabilities. HP has new firmware versions that mitigate the vulnerability.

The four reported vulnerabilities are:

• Integer overflow or wraparound - CVE-2022-25315 (includes proof-of-concept code),

• Exposure of resource to wrong sphere - CVE-2022-25236 (exploit),

• Improper encoding or escaping of content - CVE-2022-25235,

• Uncontrolled recursion - CVE-2024-8176.

HP published an advisory that describes three improper check for unusual or exceptional conditions vulnerabilities in multiple product lines utilizing the Intel NPU driver. These are third-party (Intel) vulnerabilities. HP has SoftPaqs that mitigate the vulnerabilities.

HPE Advisories

HPE published an advisory that describes an authentication bypass vulnerability in their AutoPass License Server (APLS). HPE has a new version that mitigates the vulnerability.

HPE published an advisory that discusses an improper restriction of operations within the bounds of a memory buffer vulnerability in their ProLiant AMD DL/XL Servers. This is a third-party (AMD) vulnerability. HPE has new BIOS versions that mitigate the vulnerability.

HPE published an advisory that discusses an improper restriction of operations within the bounds of a memory buffer vulnerability in their SimpliVity Servers. This is a third-party (AMD) vulnerability. HPE has a new BIOS version that mitigates the vulnerability.

Sick Advisory

Sick published an advisory that describes two use of risky or broken cryptographic algorithm vulnerabilities in their LMS1000 and MRS1000 products. Sick has a new version that mitigates the vulnerabilities.

Supermicro Advisory

Supermicro published an advisory that discusses an improper restriction of operations within the bounds of a memory buffer vulnerability in multiple products. This is a third-party (AMD) vulnerability. Supermicro had new BIOS versions that mitigate the vulnerability.