Public ICS Disclosures – Week of 2-7-26 – Part 1
This is a relatively busy disclosure week for the week of Cyber Tuesday. We have 43 bulk vendor disclosures from FortiGuard (6), Hitachi (8), HP (8), HPE (14), QNAP (7). We also have 10 bulk updates from Siemens (10). There are also other vendor disclosures from Bosch, Meinberg, Pheonix Contact, Schneider (2), and Siemens (2).
Bulk Disclosures – FortiGuard
Bulk Disclosures – Hitachi
Vulnerability in Cosminexus HTTP Server and Hitachi Web Server,
Multiple Vulnerabilities in Cosminexus HTTP Server and Hitachi Web Server,
Bulk Disclosures – HP
Bulk Disclosures – HPE
HPE Aruba Networking EdgeConnect SD-WAN Orchestrator, Multiple Vulnerabilities,
Multiple Vulnerabilities in HPE Aruba Networking Private 5G Core.
Bulk Disclosures – QNAP
Bulk Updates – Siemens
Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.1,
Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.2,
Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 Devices,
Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices,
DLL Hijacking Vulnerability in Siemens Web Installer used by the Online Software Delivery,
Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1,
Vulnerabilities in EFI variable of SIMATIC IPCs, SIMATIC Tablet PCs, and SIMATIC Field PGs, and
Bosch Advisory
Bosch published an advisory that describes four deserialization of untrusted data vulnerabilities in their Rexroth IndraWorks product. The vulnerabilities were reported by Trend Micro. Bosch has a new version pending that will mitigate two of the four vulnerabilities, additional fixes are being developed.
Meinberg Advisory
Meinberg published an advisory that discusses 21 vulnerabilities in their LANTIME product. These are third-party vulnerabilities. Meinberg has a new firmware version that mitigates the vulnerabilities.
Pheonix Contact Advisory
Pheonix Contact published an advisory that discusses an improperly controlled sequential memory allocation vulnerability in their mGuard products. This is a third-party (OpenSSL) vulnerability. Pheonix Contact has a new firmware version that mitigates the vulnerability.
Schneider Advisories
Schneider published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their SCADAPack and Remote Connect products. Schneier has new versions that mitigate the vulnerability.
Schneider published an advisory that describes two vulnerabilities in their EcoStruxureTM Building Operation Workstation and EcoStruxureTM Building Operation Webstation products. The vulnerabilities were separately reported by Pentest Limited and Robin Plugge. Schneider has new versions that mitigate the vulnerabilities.
The two reported vulnerabilities are:
Improper restriction of XML external entity reference - CVE-2026-1227, and
Code injection - CVE-2026-1226.
Siemens Advisories
Siemens published an advisory that describes six vulnerabilities in their Simcenter Femap and Nastran products. The vulnerabilities were reported by Michael Heinzl. Siemens has new versions that mitigate the vulnerabilities.
The six reported vulnerabilities are:
Out-of-bounds write - CVE-2026-23715,
Out-of-bounds read (4) - CVE-2026-23716, CVE-2026-23717, CVE-2026-23718, and CVE-2026-23720, and
Heap-based buffer overflow - CVE-2026-23719.
Siemens published a bulletin that describes an absence of anti-tamper protections and modern exploit mitigation controls in the SIPORT Desktop Client Application. Siemens provides generic mitigation measures and notes that a fix is not planned.