ICS Critical Patch Updates: February 2026 

Welcome to Foxguard’s ICS Critical Patch Updates February 2026, covering advisories released between January 17 and February 10, 2026. 

February’s cycle highlights a significant concentration of risk within engineering software and infrastructure management platforms, centering on recurring fault lines: engineering software that processes untrusted files; authentication and certificate validation gaps in identity and OPC integrations; controller-level denial-of-service risks; and network-facing services that rely on proper segmentation to remain safe. Several vendors also published high-severity issues where no immediate patch is available, shifting the burden to exposure control and architectural discipline. 

Note on CVSS Scores: February’s advisories utilize a combination of CVSS v3.1 and CVSS v4.0 ratings. Where both are available, we’ve referenced vendor-published scores. As always, severity is only part of the equation. Exposure, reachability, and the operational role of the asset should guide your prioritization. 

Siemens 

Siemens released several critical updates this month, most notably a major update to the COMOS engineering suite and a critical sweep of third-party vulnerabilities in SINEC OS affecting the RUGGEDCOM and SCALANCE families. 

• SSA-212953 – Multiple Vulnerabilities in COMOS (Update) 
  CVE: CVE-2024-47875, CVE-2025-2783, CVE-2025-40800, CVE-2025-40801, CVE-2024-11053, CVE-2025-10148 
  CVSS v3.1: 10.0 | CVSS v4.0: 9.2 
  Multiple issues in COMOS may allow arbitrary code execution, denial of service, data infiltration, or access control violations depending on deployment. 
  Recommendation: Update to fixed releases listed by Siemens and apply Siemens hardening guidance for engineering environments. 
• SSA-089022 – Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.3 
  CVE: Multiple CVSS v3.1: 10.0 | CVSS v4.0: 8.2 
  SINEC OS versions prior to V3.3 include vulnerable third-party components affecting products such as RUGGEDCOM and SCALANCE families. 
  Recommendation: Upgrade to SINEC OS V3.3 or later per Siemens remediation guidance. 
• SSA-507364 – Heap-Based Buffer Overflow in WIBU CodeMeter Runtime (Desigo CC / SENTRON Powermanager) 
  CVE: CVE-2023-38545 | CVSS v3.1: 8.8 (no v4.0 score published) 
  A vulnerability in CodeMeter Runtime used by affected Desigo CC versions could allow code execution within the current process context. 
  Recommendation: Uninstall older CodeMeter versions, install CodeMeter User Runtime V8.40b or later, restart services, and update affected products to fixed versions where available. 
• SSA-965753 – Multiple File Parsing Vulnerabilities in Simcenter Femap and Nastran Before V2512 
  CVE: CVE-2026-23715 through CVE-2026-23720 
  CVSS v3.1: 7.8 | CVSS v4.0: 7.3 
  Malicious NDB/XDB files could trigger crashes or potentially arbitrary code execution when opened. 
  Recommendation: Update to V2512 or later and restrict file intake to trusted sources. 
• SSA-535115 – Data Validation Vulnerability in NX Before V2512 
  CVE: CVE-2026-22923 | CVSS v3.1: 7.8 | CVSS v4.0: 7.3 
  Missing data validation could allow a local attacker on a compromised system to interfere with internal data during PDF export, potentially leading to code execution. 
  Recommendation: Upgrade to NX V2512 or later and follow Siemens system-hygiene guidance. 
• SSA-445819 – Out-of-Bounds Read in Parasolid Translator (Solid Edge) 
  CVE: CVE-2025-40936 | CVSS v3.1: 7.8 | CVSS v4.0: 7.3 
  A crafted IGS file could cause a crash or potentially enable code execution. 
  Recommendation: Update Solid Edge to V226.00 Update 03 or later. 
• SSA-035571 – Stored Cross-Site Scripting in Polarion Before V2506 
  CVE: CVE-2025-40587 | CVSS v3.1: 7.6 | CVSS v4.0: 6.2 
  Malicious JavaScript can be embedded in document titles and executed when viewed by authenticated users. 
  Recommendation: Update to fixed Polarion versions (e.g., V2404.5+ or V2410.2+ as applicable). 

Foxguard Insight: Siemens’ February disclosures again put engineering environments in the spotlight. COMOS and multiple file-handling advisories (Simcenter, NX, Solid Edge) are reminders that engineering tools are often exposed to untrusted inputs through normal work—shared files, vendor packages, and project handoffs. Patch quickly where you can, but also treat engineering workstations and file repositories as controlled assets: limit who can introduce files, keep privileges tight, and avoid letting engineering systems become a bridge between networks. 

Schneider Electric 

Schneider’s February advisories focus on controller communications and building management environments. 

• SEVD-2026-041-01 – Improper Check for Unusual or Exceptional Conditions (SCADAPack 47x/47xi, 57x, RemoteConnect) 
  CVE: CVE-2026-0667 | CVSS v3.1: 9.8 | CVSS v4.0: 9.3 
  Malformed Modbus TCP communications could lead to arbitrary code execution, denial of service, or loss of integrity/confidentiality. 
  Recommendation: Upgrade to SCADAPack 47x/47xi R3.4.2 (firmware 9.12.2) and RemoteConnect R3.4.2. If immediate patching is not feasible, enable RTU firewall services, disable the logic debug service, and enforce segmentation. 
• SEVD-2026-041-02 – Multiple Vulnerabilities in EcoStruxure™ Building Operation (Workstation/WebStation) 
  CVE: CVE-2026-1227, CVE-2026-1226 | CVSS v3.1: 7.3 | CVSS v4.0: 7.0 
  Specially crafted TGML graphics files could result in file disclosure, denial of service, or unintended code execution within the application. 
  Recommendation: Apply Schneider patches for affected EBO branches (6.0.x and 7.0.x). Enforce strong access controls, enable MFA where supported, and restrict graphics file intake. 

Foxguard Insight: Schneider’s higher-severity item this month is a good example of why controller-adjacent services matter as much as the controller itself. When Modbus TCP handling goes wrong, the real deciding factor becomes reachability—who can talk to the RTU, and from where. On the EBO side, file and graphics workflows are the quiet risk: if many users can upload or import TGML content, it’s worth tightening that process and keeping those workstations treated like privileged systems, not general desktops. 

Rockwell Automation 

Rockwell’s advisories this cycle include denial-of-service conditions and plaintext credential exposure. 

• SD1767 – Verve Asset Manager Plaintext Storage Vulnerabilities 
  CVE: CVE-2025-14376, CVE-2025-14377 | CVSS v3.1: up to 7.9 | CVSS v4.0: up to 8.8 
  Sensitive information stored in plaintext could be retrieved by an attacker with system access. 
  Recommendation: Upgrade to fixed versions and restrict administrative access to asset-management systems. 
• SD1768 – ArmorStart® LT Multiple Denial-of-Service Vulnerabilities 
  CVE: CVE-2025-9464 through CVE-2025-9283  | CVSS v3.1: 7.5 | CVSS v4.0: 8.7 
  Multiple DoS conditions may allow a remote attacker to disrupt device availability. No corrective update is currently available. 
  Recommendation: Restrict network access, place devices behind firewalls or segmented OT zones, and limit exposure to trusted hosts only. 
• SD1769 – ControlLogix® Redundancy Module Upgrade Notice (1756-RM2(XT)) 
  CVE: CVE-2025-14027 | CVSS v3.1: 7.5 | CVSS v4.0: 8.7 
  A vulnerability affecting legacy redundancy modules prompted a recommendation to migrate to 1756-RM3(XT). 
  Recommendation: Plan migration to supported hardware; apply interim mitigations and segmentation if upgrade cannot be immediate. 
• SD1770 – CompactLogix® 5370 Denial-of-Service Vulnerability 
  CVE: CVE-2025-11743 | CVSS v3.1: 6.5 | CVSS v4.0: 7.1 
  A crafted request may render the controller unavailable. 
  Recommendation: Update to fixed firmware versions and limit exposure to trusted networks. 

Foxguard Insight: Rockwell’s set this month splits into two practical buckets: availability risks on devices (including one with no fix yet), and sensitive data handling in an asset management platform. For ArmorStart LT, segmentation and strict access controls are the main levers until a corrective update exists. For Verve Asset Manager, treat it like a privileged OT system: restrict access, keep it off broad networks, and ensure credentials and administrative paths are tightly controlled. 

ABB 

ABB and its B&R division disclosed authentication, certificate validation, and denial-of-service issues this month: 

• 9AKK108472A1331 – ABB Ability™ OPTIMAX® Authentication Bypass (SSO with Azure AD) 
  CVE: CVE-2025-14510 | CVSS v3.1: 8.1 | CVSS v4.0: 9.2 
  An authentication bypass in Single-Sign-On integration could allow unauthorized access under certain federation conditions. 
  Recommendation: Upgrade to remediated versions and review identity-provider configuration and federation paths. 
• SA25P004 – Automation Studio Insufficient Server Certificate Validation 
  CVE: CVE-2025-11043 | CVSS v3.1: 7.4 | CVSS v4.0: 9.1 
  Improper certificate validation in OPC-UA and ANSL-over-TLS clients could enable man-in-the-middle interference. 
  Recommendation: Upgrade to Automation Studio 6.5 or later and enforce trusted certificate authorities. 
• SA25P005 – B&R Automation Runtime Improper Handling of Flooding Conditions on ANSL Server 
  CVE: CVE-2025-11044 | CVSS v3.1: 6.8 | CVSS v4.0: 8.9 
  An unauthenticated attacker could trigger a race condition leading to persistent denial-of-service. 
  Recommendation: Upgrade to Automation Runtime 6.5 and/or R4.93 or later. 

Foxguard Insight: Identity integration and certificate validation failures continue to appear across vendors. When engineering tools and analytics platforms rely on federation or OPC communications, misconfigurations can weaken otherwise solid segmentation strategies. Ensure that federation paths are restricted and that MFA is enforced at the identity provider level to mitigate the risk of SSO-based bypasses. 

Phoenix Contact 

Phoenix Contact released a February advisory addressing an availability issue in FL MGUARD devices: 

• VDE-2025-109 – Unbounded Growth of Session Cache (FL MGUARD 2xxx/4xxx) 
  CVE: CVE-2024-2511 | CVSS v3.1: 5.9 (no v4.0 score published) 
  A remote attacker could exhaust memory via excessive TLS connections, triggering device reboots. 
  Recommendation: Disable the TCP encapsulation service where possible and upgrade to firmware 10.6.0 or later. 

Foxguard Insight: Even when the base score is lower, availability issues on boundary devices can cause outsized disruption if the device sits between zones or supports remote access. Review which services are enabled and confirm that unused encapsulation features are not left exposed. Disable services that aren’t needed, and it’s worth checking for other “enabled by default” services in the same sweep. 

Mitsubishi Electric 

Mitsubishi Electric released two advisories this cycle affecting FA controllers and supporting software: 

• Information Disclosure / Tampering / DoS in MELSEC iQ-R Series 
  CVE: CVE-2025-15080 | CVSS v4.0: 8.8 (no v3.1 score published) 
  Improper validation in proprietary and SLMP communications could allow a remote attacker to read or modify device data or cause a denial-of-service condition on affected MELSEC iQ-R Series R08/16/32/120PCPU firmware versions “48” and prior. 
  Recommendation: Restrict access to trusted networks, apply firewall/IP filtering, and avoid direct exposure to untrusted hosts. 
• Malicious Code Execution in FREQSHIP-mini for Windows 
  CVE: CVE-2025-10314 | CVSS v3.1: 8.8 (no v4.0 score published) 
  Incorrect default permissions could allow a local attacker to replace executables or DLLs and execute arbitrary code with system privileges. 
  Recommendation: Restrict remote login to administrators, block untrusted network access, and limit physical and logical access to affected PCs. 

Foxguard Insight: Mitsubishi’s protocol advisory is the kind of issue that becomes serious based on network placement. If industrial protocols are reachable from untrusted networks, attackers will experiment with them. Tight filtering at the edge of control networks is not optional. The UPS software issue is a reminder that “supporting” systems can carry elevated privileges and deserve the same hardening standards as controllers. Keep those PCs locked down and avoid treating them as convenient shared systems. 

CISA 

CISA released multiple advisories this cycle, including critical disclosures for building management, EV charging, and unauthenticated RCE in encoders: 

• ICSA-26-027-04 – Johnson Controls Metasys Products 
  CVE: CVE-2025-26385 | CVSS v3.1: 10.0 (no v4.0 score published) 
  Command injection vulnerability in ADS/ADX server components allows unauthenticated attackers to bypass security. 
  Recommendation: Execute the Metasys patch for GIV-165989; close incoming TCP port 1433. 
• ICSA-26-027-01 – iba Systems ibaPDA 
  CVE: CVE-2025-14988 | CVSS v3.1: 9.8 (no v4.0 score published) 
  Incorrect permission assignment for a critical resource could allow unauthorized actions on the file system. 
  Recommendation: Upgrade to ibaPDA v8.12.1 or later; enable User Management and set strong passwords. 
• ICSA-26-027-02 – Festo Didactic SE MES PC 
  CVE: Multiple CVEs (see advisory) | CVSS v3.1: Up to 9.8 (no v4.0 score published) 
  Multiple vulnerabilities in the pre-installed XAMPP bundle allow for complete system compromise. 
  Recommendation: Replace XAMPP with the Festo Didactic Factory Control Panel application; patch the underlying OS. 
• ICSA-26-029-01 – KiloView Encoder Series 
  CVE: CVE-2026-1453 | CVSS v3.1: 9.8 (no v4.0 score published) 
  Remote code execution via unauthenticated crafted requests to the encoder management interface. 
  Recommendation: Update to the latest firmware released in January 2026; change all default passwords. 
• ICSA-26-022-08 – EVMAPA 
  CVE: CVE-2025-54816, CVE-2025-53968, CVE-2025-55705 | CVSS v3.1: 9.4 (no v4.0 score published) Missing authentication for critical functions in the WebSocket endpoint allows unauthorized remote command execution. 
  Recommendation: Connect charging stations via secure VPN; implement WebSocket Secure (WSS). 
• ICSA-26-022-06 – Hubitat Elevation Hubs 
  CVE: CVE-2026-1201 | CVSS v3.1: 9.1 (no v4.0 score published) 
  Authorization bypass allows an attacker to control connected devices outside of their scope. 
  Recommendation: Update firmware to 2.4.2.157 or later; ensure hubs are not directly internet-accessible. 
• ICSA-26-020-02 – Schneider Electric CODESYS Runtime 
  CVE: Multiple CVEs (see advisory) | CVSS v3.1: Up to 8.8 (no v4.0 score published) 
  Runtime vulnerabilities could allow remote code execution or denial-of-service. 
  Recommendation: Apply firmware updates for Modicon M241, M251, and M262 controllers; disable the web server if not required. 
• ICSA-26-022-05 – Weintek cMT X Series HMI 
  CVE: CVE-2025-14750, CVE-2025-14751 | CVSS v3.1: Up to 8.3 (no v4.0 score published) 
  EasyWeb Service fails to sufficiently verify inputs, allowing manipulation of account privileges. 
  Recommendation: Update HMI firmware to the latest available versions; disable web services if not required. 
• ICSA-26-022-07 – Delta Electronics DIAView 
  CVE: CVE-2026-0975 | CVSS v3.1: 7.8 (no v4.0 score published) 
  Improper neutralization of command strings allows code execution when a malicious project file is loaded. 
  Recommendation: Update DIAView to version 4.4 or later; verify the source of all project files. 
• ICSA-26-022-01 – Schneider Electric EcoStruxure Process Expert 
  CVE: CVE-2025-13905 | CVSS v3.1: 7.3 (no v4.0 score published) 
  Incorrect default permissions could allow a local user to escalate privileges via binary modification. 
  Recommendation: Apply application whitelisting; restrict system access and monitor for local permission changes. 
• ICSA-26-022-04 – Johnson Controls Inc. iSTAR Configuration Utility 
  CVE: CVE-2025-26386 | CVSS v3.1: 7.1 (no v4.0 score published) 
  Stack-based buffer overflow in the ICU tool could result in system failure or local code execution. 
  Recommendation: Update iSTAR ICU to version 6.9.8 or later; restrict tool usage to authorized workstations. 

Foxguard Insight: CISA’s February list spans exposed management services, weak controls around critical functions, and platforms that become high-impact targets when they sit on the wrong side of a boundary. For most environments, the priority is to patch anything that’s reachable from outside its intended zone first and disable web services or remote interfaces that aren’t required. Where patching will take time, strict segmentation and access control usually make the difference. 

Actionable Recommendations 

February’s disclosures span engineering software, controller communications, identity integrations, and a long list of CISA-issued advisories covering building systems, HMIs, EV infrastructure, and exposed management services. Prioritise based on reachability and privilege first, then operational impact.  

To reduce exposure and keep systems stable, Foxguard recommends: 

• Patch high-impact engineering and design tooling first: Prioritise Siemens COMOS, then NX / Solid Edge / Simcenter updates. Treat engineering workstations as privileged assets and keep them off broad networks. 

• Lock down file and project workflows: Several advisories this month hinge on opening or processing crafted files (engineering data, TGML graphics, project files). Restrict who can import/upload, use controlled repositories, and avoid “email-to-engineering” file paths. 

• Reduce controller protocol exposure: Apply Schneider SCADAPack/RemoteConnect remediation and treat Modbus TCP reachability as a design decision, not a convenience. Use segmentation, RTU firewall services, and disable debug/unused services. 

• Contain availability risks where fixes don’t exist yet: For Rockwell ArmorStart LT (no corrective update), treat segmentation and strict allow-listing as the control. Keep affected devices behind firewalls and limit who can talk to them. 

• Treat identity and certificate issues as operational risks: Apply ABB OPTIMAX fixes and address certificate validation in Automation Studio. Restrict federation paths, keep certificate stores clean, and don’t allow engineering interfaces to be reachable from untrusted networks. 

• Harden boundary devices and management interfaces: Apply Phoenix Contact updates and disable unused services (like TCP encapsulation) where possible. For CISA-listed products, prioritise anything with exposed web services, management interfaces, or unauthenticated RCE paths. 

• Tighten access to “supporting” OT systems: Asset managers and UPS shutdown software can become high-value footholds. Keep them off shared networks, restrict admin paths, and enforce least privilege and monitoring. 

During patch rollout, verify versions on real assets (not just the change ticket), watch for unexpected reboots or service failures, and keep segmentation in place until remediation is confirmed. 

How Foxguard Can Help 

February’s advisories span controllers, engineering software, identity integrations, and network appliances. Determining what to patch first, what can wait for a maintenance window, and what requires architectural mitigation takes more than reading CVSS scores. 

Foxguard helps operators understand vulnerability impact, prioritize patches, validate deployments, and reduce exposure while respecting operational constraints. Our solutions cover asset and network visibility, vulnerability management, patch intelligence, secure deployment, and managed services tailored to ICS/OT environments. 

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture.     

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk.     

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance.     

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security.     

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity.    

Foxguard works alongside operators to make sense of a patch landscape that can quickly become overwhelming, providing analysis and context so teams can prioritize patching and hardening efforts effectively.   

Stay Ahead of Threats 

February’s advisories reflect a pattern we’ve seen repeatedly: risks emerge not just from controllers, but from the tools, services, and integration points around them. File parsing in engineering tools, certificate validation in OPC clients, authentication flows in analytics platforms, and management interfaces on edge devices all sit in positions of trust. 

Staying ahead is less about reacting to each CVE individually and more about maintaining discipline. Patch where exposure and privilege intersect. Restrict what can talk to your controllers. Keep engineering systems separated from production networks. Verify that identity integrations and certificate stores are configured as intended. 

If your team is struggling to prioritize this month’s critical updates, Foxguard is here to help translate these advisories into an actionable plan. Reach out to our experts today to secure your infrastructure. 

Your security is our priority. Stay vigilant and stay protected.