ICS Critical Patch Updates: January 2026 

Welcome to ICS Critical Patch Updates January 2026, your Foxguard monthly overview of newly disclosed vulnerabilities affecting Industrial Control Systems (ICS) and Operational Technology (OT).

January’s cycle includes multiple critical disclosures affecting industrial edge platforms, engineering environments, controllers, and OT network infrastructure. Siemens reported two separate 10.0 authorization-bypass advisories tied to Industrial Edge, while Schneider Electric’s January set spans controller communications risks, third-party component exposure, and workstation-side project-file attack paths. ABB and Phoenix Contact advisories this month also reinforce a recurring theme: engineering tools and network devices remain high-value targets because they sit at pivotal trust boundaries in OT environments. 

Note on CVSS Scores: January’s advisories include a mix of CVSS v3.1 and CVSS v4.0 ratings. Where both scores are available, we’ve referenced them as published. Use these base scores to guide remediation priority alongside your site-specific exposure (reachable interfaces, trust zones, and operational criticality). 

Siemens 

Siemens released multiple high-severity advisories in January affecting Industrial Edge deployments, SCADA/telecontrol server software, and distributed I/O, along with an updated COMOS advisory that remains highly severe: 

• SSA-001536 – Authorization Bypass Vulnerability in Siemens Industrial Edge Devices 
  CVE: CVE-2025-40805 | CVSS v4.0: 10.0 (v3.1: 10.0) 
  An authorization bypass could allow an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. 
  Recommendation: Update to fixed versions where available; where fixes are not yet available, apply Siemens’ advisory countermeasures (segmentation and limiting exposure of management interfaces). 

• SSA-014678 – Authorization Bypass Vulnerability in Industrial Edge Device Kit 
  CVE: CVE-2025-40805 | CVSS v4.0: 10.0 (v3.1: 10.0) 
  A related authorization bypass could enable an unauthenticated attacker to bypass authentication and impersonate a legitimate user. 
  Recommendation: Update to fixed versions where available; where “no fix planned” is stated, follow Siemens’ mitigation guidance (hardening and restricting exposure/administrative access). 

• SSA-192617 – Local Privilege Escalation Vulnerability in TeleControl Server Basic (before V3.1.2.4) 
  CVE: CVE-2025-40942 | CVSS v4.0: 7.3 (v3.1: 8.8) 
  A local privilege escalation could allow an attacker to run arbitrary code with elevated privileges. 
  Recommendation: Update TeleControl Server Basic to V3.1.2.4 or later. 

• SSA-674753 – Denial-of-Service Vulnerability in ET 200SP 
  CVE: CVE-2025-40944 | CVSS v4.0: 8.7 (v3.1: 7.5) 
  A crafted S7 Disconnect Request may render the device unresponsive, requiring a power cycle. 
  Recommendation: Apply Siemens guidance to restrict access to affected interfaces/protocol paths, enforce segmentation, and apply product updates when available. 

• SSA-212953 – Multiple Vulnerabilities in COMOS (Update) 
  CVE: CVE-2024-47875, CVE-2025-2783, CVE-2025-40800, CVE-2025-40801, CVE-2024-11053, CVE-2025-10148 | CVSS v4.0: 9.2 (v3.1: 10.0) 
  Multiple vulnerabilities affecting COMOS could enable outcomes including code execution, denial-of-service, data infiltration, and access control violations. 
  Recommendation: Update to Siemens’ fixed releases and apply Siemens hardening guidance for engineering environments. 

Foxguard Insight: Siemens’ Industrial Edge advisories this month are a reminder that edge platforms often sit in a privileged position between IT and OT. An authorization bypass at that layer can undermine other controls quickly if management interfaces are reachable from broad networks. Prioritize remediation and, in parallel, tighten exposure of edge management services, restrict administrative access paths, and confirm segmentation is enforced as designed. 

Schneider Electric 

Schneider Electric’s January disclosures span third-party component exposure, controller communications risks, and engineering workstation attack paths involving project files: 

• SEVD-2026-013-01 – Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx 
  CVE: CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819 | CVSS v3.1: 10.0 (CVE-2025-49844) 
  Multiple third-party issues (including Redis-related exposure) could enable privilege escalation leading to remote code execution. 
  Recommendation: Apply Patch ProLeiT-2025-001 (disables Redis eval commands) on Application Server/VisuHub/Engineering workstations and restart systems; follow Schneider hardening guidance. 

• SEVD-2024-317-03 (v3.0.0) – Modicon Controllers M340 / Momentum / MC80 (Update) 
  CVE: CVE-2024-8937, CVE-2024-8938, CVE-2024-8936 | CVSS v4.0: up to 9.2 
  Modbus-related issues could allow loss of confidentiality/integrity and potentially arbitrary code execution under specific conditions. 
  Recommendation: Upgrade firmware (M340 SV3.65, Momentum SV2.80, MC80 SV2.1); segment networks; restrict TCP/502; apply ACL and hardening guidance. 

• SEVD-2025-014-06 (v2.0.0) – RemoteConnect and SCADAPack™ x70 Utilities (Update) 
  CVE: CVE-2024-12703 | CVSS v4.0: 8.5 (v3.1: 7.8) 
  Deserialization of untrusted data could lead to loss of confidentiality/integrity and potential workstation-side code execution when opening a malicious project file. 
  Recommendation: Update RemoteConnect to R3.4.2; until other remediation is available, only open trusted project files, verify hashes, encrypt and restrict access, and use secure transfer protocols. 

• SEVD-2026-013-04 – Multiple Vulnerabilities on EcoStruxure Power Build Rapsody 
  CVE: CVE-2025-13845, CVE-2025-13844 | CVSS v4.0: 8.4 (v3.1: 7.8) 
  Memory corruption issues could allow code execution when importing a malicious Rapsody project (SSD) file. 
  Recommendation: Upgrade to fixed versions listed in the advisory and restart services; if not patched, restrict project files to trusted sources and scan for malware. 

• SEVD-2026-013-02 – Incorrect Default Permissions Vulnerability on EcoStruxure™ Process Expert 
  CVE: CVE-2025-13905 | CVSS v3.1: 7.3 (v4.0: 7.0) 
  Incorrect default permissions could enable privilege escalation through modification of service binaries (triggered on restart). 
  Recommendation: Apply Schneider remediation steps/upgrades and enforce workstation hardening and least privilege. 

• SEVD-2025-189-03 – EcoStruxure™ Power Operation (PostgreSQL-related) 
  CVE: CVE-2023-50447, CVE-2024-28219, CVE-2022-45198, CVE-2023-5217, CVE-2023-35945, CVE-2023-44487 | CVSS v3.1: 7.5 (per NVD for CVE-2023-44487) 
  Multiple PostgreSQL dependency CVEs impacting EcoStruxure Power Operation; remediation centers on updating the bundled PostgreSQL version. 
  Recommendation: Upgrade to EPO 2024 CU2; otherwise restrict PostgreSQL to localhost/uninstall if unused or manually upgrade PostgreSQL per advisory guidance. 

• SEVD-2026-013-03 – Multiple Third-Party Vulnerabilities on Zigbee ProductsCVE: CVE-2024-6350 (also: CVE-2024-6351, CVE-2024-6352, CVE-2024-10106, CVE-2024-7322) | CVSS v3.1: 6.5 
  Silicon Labs EmberZNet Zigbee issues could enable denial-of-service, causing products to become unavailable. 
  Recommendation: Tighten network joining controls, use install codes where possible, avoid well-known keys, and replace defaults with unique keys. 

• SEVD-2025-042-02 (v3.0.0) – Improper Input Validation Vulnerability in Uni-Telway Driver (Update) 
  CVE: CVE-2024-10083 | CVSS v4.0: 6.8 (v3.1: 5.5) 
  Improper input validation could cause local DoS on an engineering workstation when invoked with crafted input. 
  Recommendation: Apply mitigations and hardening if needed; otherwise uninstall the Uni-Telway driver where it is not required. 

Foxguard Insight: Schneider’s January set shows how frequently OT risk comes from supporting components and engineering workflows rather than the controller alone. Third-party services, controller protocols, and project-file handling all appear as recurring pressure points. Focus on patching where fixes exist and treat engineering workstations and project repositories as controlled assets with strict trust rules, integrity checks, and least-privilege access. 

ABB 

ABB published a January advisory impacting ABB RobotStudio: 

• ABB RobotStudio – Multiple Vulnerabilities 
  CVE: CVE-2025-4676: CVSS v3.1 8.8; CVSS v4.0 8.4. CVE-2025-4675 and CVE-2025-4677: CVSS v4.0 7.1 (v3.1: 6.5) 
  Multiple issues in RobotStudio could impact engineering environments and downstream workflows depending on how systems are used and exposed. 
  Recommendation: Apply ABB’s recommended remediation/updated versions and enforce defense-in-depth controls around engineering workstations. 

Foxguard Insight: Engineering tools like RobotStudio are often trusted by default because they are part of standard operational workflows. When weaknesses exist in those tools, the risk is less about the workstation in isolation and more about what the workstation is allowed to touch. Patch promptly, limit local admin rights, and keep engineering environments separated from production networks with monitored, intentional pathways. 

Phoenix Contact 

Phoenix Contact (via CERT@VDE) released two January advisories affecting switching and routing components: 

• VDE-2025-071 – Multiple Vulnerabilities in FL SWITCH 2xxx Firmware 
  CVE: Multiple CVEs – see advisory for details | CVSS v3.1: up to 8.8 
  Multiple vulnerabilities affect FL SWITCH 2xxx firmware prior to v3.50, including file system access issues and additional impacts such as disclosure, integrity compromise, or denial-of-service. 
  Recommendation: Upgrade to firmware v3.50 or later, restrict management access to trusted networks, disable unused services/protocols, and enforce segmentation. 

• VDE-2025-073 – Code Injection Vulnerability in TC ROUTER and CLOUD CLIENT 
  CVE: CVE-2025-41717 | CVSS v3.1: 8.8 
  Code injection in the configuration upload interface could allow an authenticated attacker to execute arbitrary commands and fully compromise the device. 
  Recommendation: Upgrade to fixed firmware versions (e.g., TC ROUTER ≥ 3.08.8, CLOUD CLIENT ≥ 3.07.7), restrict administrative access, only upload trusted configuration files, and segment networks. 

Foxguard Insight: These Phoenix Contact advisories reinforce that network infrastructure is not neutral plumbing in OT environments. Switches and routers shape reachability and trust boundaries, and faults in their management or configuration interfaces can have outsized impact. Prioritize updates for devices that bridge zones, then verify management access is restricted to a dedicated administrative network with strong authentication and logging. 

Mitsubishi Electric 

Mitsubishi Electric’s January-relevant advisories focus on ICONICS/GENESIS product families, including one high-severity update and one lower-scored but still operationally meaningful tampering issue: 

• Mitsubishi Electric PSIRT – Multiple Vulnerabilities in GENESIS, GENESIS64, ICONICS Suite, MC Works64, GENESIS32, and BizViz (Update) 
  CVE: CVE-2024-8299, CVE-2024-8300, CVE-2024-9852 | CVSS v3.1: 7.8 / 7.0 / 7.8 
  Malicious code execution vulnerabilities may allow arbitrary code execution when a crafted DLL is placed in the application environment. 
  Recommendation: Update products to the versions listed in the advisory, restrict installation environments, and apply Mitsubishi Electric hardening guidance. 

• Mitsubishi Electric – Information Tampering Vulnerability in Multiple Services of GENESIS64, ICONICS Suite, MC Works64, GENESIS, GENESIS32, and BizViz (Update) 
  CVE: CVE-2025-0921 | CVSS v3.1: 6.5 
  A local attacker could use a symbolic link technique to redirect writes and tamper with arbitrary files, potentially destroying required files and causing a denial-of-service condition on the host PC. 
  Recommendation: Restrict logins to administrators, block remote login from untrusted networks and non-admin users, enforce firewall/VPN controls if Internet-connected, restrict physical access, and avoid interacting with untrusted emails/attachments. 

Foxguard Insight: Mitsubishi’s advisories are a useful reminder that local-access issues can still matter in OT, especially where a small number of servers support multiple functions and teams. If an engineering or SCADA host is shared, local tampering can become an availability problem quickly. Keep patching aligned to maintenance windows, but also reduce day-to-day risk through access controls, admin separation, and tighter host hardening on systems that run these suites. 

CISA 

CISA’s January ICS advisories span asset management platforms, monitoring devices, and industrial analytics environments, and includes one lower-scored advisory that is still relevant in environments where IoT and OT networks intersect: 

• ICSA-26-008-01 – Hitachi Energy Asset Suite 
  CVE: CVE-2025-10492 | CVSS v3.1: 9.8 (v4.0: 8.7) 
  A critical third-party component vulnerability (JasperReports) may enable remote code execution in affected deployments. 
  Recommendation: Apply Hitachi Energy remediation/updates for the impacted component; restrict server access and limit exposure of management interfaces. 

• ICSA-26-006-01 – Columbia Weather Systems MicroServer 
  CVE: CVE-2025-61939, CVE-2025-66620, CVE-2025-64305 | CVSS v3.1: up to 8.8 (v4.0: up to 8.7) 
  Multiple issues could enable disruptive outcomes depending on attacker position and system configuration. 
  Recommendation: Update/mitigate per vendor guidance; restrict administrative access and management exposure; segment networks to reduce attack paths. 

• ICSA-26-013-02 – Rockwell Automation FactoryTalk® DataMosaix™ Private Cloud 
  CVE: CVE-2025-12807 | CVSS v4.0: 8.7 
  Exposed API paths may allow low-privilege users to perform sensitive database operations. 
  Recommendation: Apply the vendor fix/updated version; enforce least privilege and restrict service/API access. 

• ICSA-26-013-01 – Rockwell Automation 432ES-IG3 Series A 
  CVE: CVE-2025-9368 | CVSS v4.0: 8.7 (v3.1: 7.1) 
  A denial-of-service condition can require a manual power cycle for recovery. 
  Recommendation: Apply firmware/update guidance; isolate affected devices from untrusted networks and restrict exposed interfaces. 

• ICSA-26-013-03 – YoSmart YoLink Smart Hub 
  CVE: CVE-2025-59452, CVE-2025-59448, CVE-2025-59449, CVE-2025-59450, CVE-2025-59451 | CVSS v3.1: up to 5.8  Multiple issues could enable unauthorized access or information exposure depending on CVE and threat position. 
  Recommendation: Apply vendor patches where available; minimize exposure and strictly segregate IoT systems from OT/ICS networks; monitor for abnormal access patterns. 

Foxguard Insight: The CISA advisories this month point to familiar failure modes: exposed services, vulnerable third-party components, and weak boundaries between systems with different trust expectations. Where patching is in progress or delayed, exposure control usually makes the difference. Reduce direct reachability to affected platforms, confirm that management interfaces are not internet-facing, and keep IoT and OT separated with clear policy and enforcement. 

Actionable Recommendations 

January’s advisories include critical authorization bypass issues in Siemens Industrial Edge, high-severity Schneider updates affecting controller communications and engineering utilities, and firmware issues in OT network devices. Several items also highlight the continuing risk from third-party components and project-file workflows.  

The priorities for most environments remain consistent: patch what is exposed or high-privilege first, restrict management-plane reachability, and use segmentation and monitoring to reduce risk while remediation is underway.  

To reduce exposure and maintain operational stability, Foxguard recommends: 

• Prioritize Siemens Industrial Edge remediation immediately: Patch/upgrade affected Industrial Edge Devices and Industrial Edge Device Kit deployments and restrict management-plane exposure where fixes are not available. 

• Harden controller communications and OT access paths: Apply Schneider Modicon firmware updates, restrict Modbus exposure (TCP/502), and enforce ACLs and segmentation. 

• Treat project files and engineering workflows as high-risk inputs: Apply Schneider RemoteConnect and Rapsody remediations; enforce “trusted files only,” integrity checking, and least privilege on engineering workstations. 

• Patch OT network infrastructure first where it bridges zones: Update Phoenix Contact FL SWITCH and TC ROUTER/CLOUD CLIENT firmware and lock down device management interfaces to trusted admin networks. 

• Reduce blast radius while patching: Segment networks, limit remote access, verify patch deployment success, and monitor for anomalous access attempts across ICS/OT and supporting systems. 

How Foxguard Can Help 

January’s disclosures show how broad the patching problem is in real environments. The work is not only applying updates, but also deciding what to prioritize, validating versions, and reducing exposure where patching cannot be immediate. Foxguard supports operators by helping them assess impact across ICS and OT assets, plan remediation that fits operational constraints, and implement practical controls that reduce risk without adding unnecessary complexity. 

Our services include: 

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture. 

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk. 

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance. 

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security. 

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity. 

Foxguard works alongside operators to make sense of a patch landscape that can quickly become overwhelming, providing analysis and context so teams can prioritize patching and hardening efforts effectively. 

Stay Ahead of Threats 

January’s advisories highlight a pattern that will be familiar to most OT teams. The most serious risks are not limited to controllers alone, but often sit in edge platforms, engineering tools, management services, and the network infrastructure that connects them. When those systems are exposed or overly trusted, a single weakness can have operational consequences well beyond the affected product. 

Staying ahead of this risk is less about reacting to individual CVEs and more about maintaining discipline over patching, access control, and network boundaries. Knowing which systems matter most, limiting who and what can reach them, and verifying that controls continue to work over time remains the most effective way to reduce exposure. 

If your organization needs support prioritizing remediation, validating patch status, or reducing risk while updates are staged, Foxguard works alongside OT and ICS teams to help turn advisory information into practical, defensible action. Reach out to our team today, and let us know how we can help you. 

Your security is our priority. Stay vigilant and stay protected.