ICS Critical Patch Updates: March 2026 

Welcome to Foxguard’s ICS Critical Patch Updates March 2026, covering advisories released between February 11 and March 11, 2026. 

March brings a broad set of disclosures across a wide range of vendors and operational environments. Siemens leads with twelve advisories, several at critical severity. Schneider Electric’s set spans the EcoStruxure portfolio alongside a carried-forward critical update for ProLeiT infrastructure. CISA covers building automation, refrigeration, energy infrastructure, industrial serial gateways, and SCADA platforms, with several entries carrying no patch at time of publication. 

Two patterns define this month’s risk landscape. Pre-authentication vulnerabilities dominate the most severe entries, where network placement is the deciding factor for exploitability. Separately, the number of advisories with no available firmware fix is higher than in recent months, shifting the immediate burden to exposure control and architectural discipline rather than patch deployment. 

Note on CVSS Scores: March advisories reference a mix of CVSS v3.1 and CVSS v4.0 ratings. Where both are published, we’ve included both. Base scores alone don’t determine priority—reachability, authentication requirements, and the operational role of the affected asset matter at least as much. 

Schneider Electric 

Schneider Electric released seven advisories this month, including a carried-forward critical update for ProLeiT infrastructure and a set of new high-severity disclosures across the EcoStruxure platform: 

• SEVD-2026-013-01 – Multiple Third-Party Vulnerabilities in ProLeiT Plant iT/Brewmaxx 
  CVE: CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819 | CVSS v3.1: 10.0 (CVE-2025-49844); no v4.0 score published 
  A Use After Free vulnerability in the Redis component of ProLeiT Plant iT/Brewmaxx v9.60 and above could allow remote code execution with elevated privileges. Additional CVEs cover integer overflow, code injection, and out-of-bounds read conditions. 
  Recommendation: Install patch ProLeiT-2025-001 on all Application Servers, VisuHubs, Engineering Workstations, and emergency-mode Workstations. Force secure Redis configuration templates and restart all patched systems. Patch available via ProLeiT Support. 

• SEVD-2026-069-04 – Code Injection Vulnerability in EcoStruxure Automation Expert 
  CVE: CVE-2026-2273 | CVSS v3.1: 8.2 | CVSS v4.0: 7.2 
  An authenticated user opening a malicious project file could trigger arbitrary command execution on the engineering workstation, potentially resulting in full system compromise. 
  Recommendation: Update to EcoStruxure Automation Expert v25.0.1 or later. Until patched, store solution and archive files only in directories protected by Windows file-system access controls and verify file authenticity before opening. 

• SEVD-2026-069-06 – Deserialization of Untrusted Data in EcoStruxure Power Monitoring Expert and Power Operation 
  CVE: CVE-2025-11739 | CVSS v3.1: 7.8 | CVSS v4.0: 8.5 
  A locally authenticated attacker sending a crafted data stream can trigger unsafe deserialization, leading to arbitrary code execution with administrative privileges. Affects PME versions 2022–2024 R2 and EPO Advanced Reporting and Dashboards Module versions 2022 and 2024. 
  Recommendation: Apply available hotfixes for PME 2023 R2 and 2024 R2, or upgrade to PME 2024 R3. For end-of-life versions (PME 2022, EPO 2022), enforce network isolation, Windows firewall rules, complex password policies, and least privilege access controls. Contact Schneider Electric Customer Care for hotfixes. 

• SEVD-2025-014-07 – FlexNet Publisher Local Privilege Escalation Affecting Multiple EcoStruxure Products 
  CVE: CVE-2024-2658 | CVSS v3.1: 7.8 | CVSS v4.0: 8.5 
  An uncontrolled search path element in the Revenera FlexNet Publisher component affects a wide range of EcoStruxure products including Control Expert, Process Expert, Machine Expert, OPC UA Server Expert, and Vijeo Designer. A local attacker could exploit this to execute a malicious DLL with elevated privileges. This update adds remediations for EcoStruxure Machine Expert and Machine Expert Twin. 
  Recommendation: Update to fixed versions per product where available. Where no fix exists yet, limit authenticated user access to the workstation and enforce User Account Control practices. 

• SEVD-2026-013-04 – Multiple Vulnerabilities in EcoStruxure Power Build Rapsody 
  CVE: CVE-2025-13845, CVE-2025-13844 | CVSS v3.1: 7.8 (CVE-2025-13845) | CVSS v4.0: 8.4 
  A Use After Free vulnerability (CVE-2025-13845) allows remote code execution when importing a malicious SSD project file. A related Double Free (CVE-2025-13844) can cause heap memory corruption under the same conditions. 
  Recommendation: Update to the fixed regional versions listed in the advisory. Until patched, restrict project files to trusted sources and scan externally created files before opening. 

• SEVD-2026-069-05 – Hard-coded Credentials in EcoStruxure IT Data Center Expert 
  CVE: CVE-2025-13957 | CVSS v3.1: 7.2 | CVSS v4.0: 7.5 
  When the SOCKS Proxy feature is enabled and administrator credentials are known, hard-coded PostgreSQL credentials in EcoStruxure IT Data Center Expert v9.0 and prior could be exploited for information disclosure and remote code execution. 
  Recommendation: Upgrade to v9.1. If immediate patching isn’t possible, ensure SOCKS Proxy remains disabled and follow the hardening guidelines in the EcoStruxure IT Data Center Expert Security Handbook. 

• SEVD-2026-069-03 – Deserialization of Untrusted Data in EcoStruxure Foxboro DCS 
  CVE: CVE-2026-1286 | CVSS v3.1: 6.5 | CVSS v4.0: 7.0 
  An admin-authenticated user opening a malicious project file in EcoStruxure Foxboro DCS versions prior to CS8.1 could trigger loss of confidentiality and integrity, with potential for remote code execution on the compromised workstation. 
  Recommendation: Upgrade to Foxboro DCS CS8.1 (free upgrade for existing customers with FX-V3 license—contact your Schneider Electric Field Service Representative). Until patched, open only trusted project files, hash-verify regularly, encrypt at rest, and use secure protocols for file transfer. 

Foxguard Insight: The EcoStruxure portfolio’s attack surface extends well beyond the controller, and this month’s Schneider advisories reflect that clearly. Project file handling, deserialization paths, and third-party components like FlexNet and Redis keep surfacing as pressure points across the portfolio. Most of these advisories require either local access or a user interaction step, which makes controlling what enters the engineering environment as important as patching it. Engineering workstations should be treated as privileged assets—file intake paths restricted, project repositories access-controlled and auditable, and informal transfer routes closed off. 

Siemens 

Siemens published thirteen advisories this month, with significant concentration around FortiGate NGFW components on RUGGEDCOM hardware, SINEC OS third-party vulnerabilities across three separate OS branches, and a no-fix-available stored XSS in the S7-1500: 

• SSA-212953 – Multiple Vulnerabilities in COMOS 
  CVE: Multiple (see advisory) | CVSS v3.1: 10.0 | CVSS v4.0: 9.2 
  Multiple issues in COMOS could allow arbitrary code execution, denial of service, data infiltration, and access control violations depending on the affected component and deployment scenario. 
  Recommendation: Update to fixed releases and apply Siemens hardening guidance for COMOS engineering environments. 

• SSA-089022 – Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.3 
  CVE: Multiple (see advisory) | CVSS v3.1: 10.0 | CVSS v4.0: 8.2 
  SINEC OS versions prior to V3.3 include third-party components with critical vulnerabilities affecting RUGGEDCOM and SCALANCE product families, including paths to unauthenticated remote code execution. 
  Recommendation: Upgrade to SINEC OS V3.3 or later per Siemens remediation guidance. 

• SSA-430425 – Multiple Vulnerabilities in SINEC Security Monitor before V4.9.0 
  CVE: Multiple including CVE-2026-27661 (see advisory) | CVSS v3.1: 9.9 | CVSS v4.0: 9.4 
  The most critical vulnerability allows an authenticated low-privileged remote attacker to execute arbitrary code with root privileges via improper validation of user input to the ssmctl-client command. A second issue allows privileged OS command execution locally. Additional weaknesses include path traversal and permissive input validation. 
  Recommendation: Update to SINEC Security Monitor V4.9.0 or later and restrict network access to the SINEC Security Monitor server. 

• SSA-975644 – Multiple Vulnerabilities in FortiGate NGFW on RUGGEDCOM APE1808 Devices 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.8 (no v4.0 score published) 
  The most severe vulnerability is an authentication bypass (CWE-288) that could allow unauthenticated remote attackers to gain access. Additional CVEs cover HTTP request/response smuggling, improper verification of communication source, and use of externally-controlled format strings. 
  Recommendation: Consult and implement the workarounds provided in Fortinet’s upstream security notifications for each CVE. 

• SSA-770770 – Multiple Vulnerabilities in FortiGate NGFW Before V7.4.7 on RUGGEDCOM APE1808 Devices 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.8 | CVSS v4.0: 9.1 
  An accumulation of FortiGate NGFW vulnerabilities affecting RUGGEDCOM APE1808 deployments, spanning heap-based buffer overflows, missing authentication for critical functions, and SSL-VPN weaknesses. 
  Recommendation: Upgrade FortiGate NGFW to V7.4.7 or later. Apply Fortinet upstream workarounds for CVEs where no firmware fix is yet available. 

• SSA-082556 – Vulnerabilities in the Additional GNU/Linux Subsystem of SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.5 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.8 | CVSS v4.0: 8.7 
  The most critical vulnerability is a heap-based buffer overflow in the curl SOCKS5 proxy handshake. Additional high-severity CVEs cover stack-based buffer overflows, out-of-bounds writes, and use-after-free conditions across Linux kernel, OpenSSL, curl, glibc, and systemd components. 
  Recommendation: Apply available firmware updates per the advisory and restrict network access to the affected CPU. Refer to upstream CVE advisories for component-specific workarounds. 

• SSA-613116 – Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.1 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.8 (no v4.0 score published) 
  Third-party component vulnerabilities in SINEC OS prior to V3.1 affect RUGGEDCOM and SCALANCE product families, with paths to unauthenticated remote code execution. 
  Recommendation: Update to SINEC OS V3.1 or later per Siemens remediation guidance. 

• SSA-452276 – Stored Cross-Site Scripting Vulnerability in SIMATIC S7-1500 
  CVE: CVE-2025-40943 | CVSS v3.1: 9.6 | CVSS v4.0: 9.4 
  An unauthenticated attacker who can upload a malicious trace file can inject persistent JavaScript into the S7-1500 web interface, executing in the browser of any authenticated user who views the affected page. No firmware fix is currently available. 
  Recommendation: Disable the PLC web server where not required and restrict access to TCP ports 80 and 443 to trusted IP addresses. Only upload trace files from trusted sources. 

• SSA-355557 – Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.2 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.1 | CVSS v4.0: 6.9 
  Third-party component vulnerabilities in SINEC OS prior to V3.2 affect RUGGEDCOM and SCALANCE product families across high and critical severity outcomes. 
  Recommendation: Update to SINEC OS V3.2 or later per Siemens remediation guidance. 

• SSA-485750 – Multiple Vulnerabilities in SIDIS Prime Before V4.0.800 
  CVE: Multiple (see advisory) | CVSS v3.1: 8.7 | CVSS v4.0: 9.4 
  Multiple third-party component vulnerabilities in SIDIS Prime, including use of insufficiently random values enabling HTTP Parameter Pollution (CWE-330), cross-site scripting, OS command injection, uncontrolled recursion leading to denial of service, and information disclosure. 
  Recommendation: Update SIDIS Prime to V4.0.800 or later and restrict network access to SIDIS Prime deployments. 

• SSA-201595 – Privilege Escalation in WIBU CodeMeter Runtime Affecting Desigo CC and SENTRON Powermanager 
  CVE: CVE-2025-40937 | CVSS v3.1: 8.2 | CVSS v4.0: 8.2 
  A Least Privilege Violation in WIBU CodeMeter Runtime could allow a local attacker with high privileges to escalate to SYSTEM-level, resulting in full host compromise across affected Desigo CC and SENTRON Powermanager deployments. 
  Recommendation: Update WIBU CodeMeter Runtime to a version later than V8.30a (currently V8.40) per Siemens’ update instructions and restart affected services. 

• SSA-868571 – Missing Server Certificate Validation in IAM Client 
  CVE: CVE-2025-27406 | CVSS v3.1: 7.4 | CVSS v4.0: 9.1 
  Missing server certificate validation in the Siemens IAM Client affects a broad range of products including NX, Simcenter X, Solid Edge, and SiemensIQ platform products. An unauthenticated attacker in a man-in-the-middle position could intercept and manipulate communications between client and IAM server. 
  Recommendation: Update to fixed versions per product as listed in the advisory. Where fixes are not yet available, restrict network access to IAM communication paths. 

• SSA-903736 – Multiple Vulnerabilities in SICAM SIAPP SDK before V2.1.7 
  CVE: CVE-2026-25569, CVE-2026-25570, CVE-2026-25571, CVE-2026-25572, CVE-2026-25573, CVE-2026-25605 | CVSS v3.1: 7.4 (CVE-2026-25573) | CVSS v4.0: 8.6 
  A relative path traversal vulnerability (CVE-2026-25573) allows an authenticated remote attacker to read arbitrary files from the underlying Linux file system of SICAM A8000 series devices. A secondary improper input validation issue (CVE-2026-25571) allows authenticated file writes to arbitrary locations. 
  Recommendation: Update SICAM SIAPP SDK to V2.1.7 or later. Restrict network access to SICAM A8000 devices and limit authenticated access to trusted users. 

Foxguard Insight: Three separate SINEC OS advisories covering V3.1, V3.2, and V3.3 branches in one month reflects how third-party component debt accumulates in complex platforms over time. If your RUGGEDCOM or SCALANCE deployments are not on the latest SINEC OS branch, known-exploitable vulnerabilities are present in devices that frequently sit at critical network boundaries. The two FortiGate NGFW advisories on APE1808 devices warrant separate attention—these are the firewall and VPN components operators rely on for zone separation, and an authentication bypass at that layer has direct implications for everything behind it. On SSA-452276: with no firmware fix available for the S7-1500 stored XSS, disabling the web server on PLCs that don’t need it removes the attack surface entirely and requires no maintenance window. 

ABB 

ABB published two advisories this month, both affecting the AC500 V3 PLC platform and its associated engineering software. 

• 3ADR011524 – AC500 V3 PLC Multiple Vulnerabilities 
  CVE: CVE-2025-2595, CVE-2025-41659, CVE-2025-41691 | CVSS v3.1: 8.3 | CVSS v4.0: 8.7 (CVE-2025-41659) 
  Three vulnerabilities affect all AC500 V3 PLC products (PM5xxx series) running firmware prior to v3.9.0. CVE-2025-41659 allows a low-privileged remote attacker to access the PKI folder via CODESYS protocol, enabling read and write access to certificates and cryptographic keys. CVE-2025-41691 allows an unauthenticated attacker to cause denial-of-service via a NULL pointer dereference. CVE-2025-2595 allows unauthenticated read of static visualization files via forced browsing. 
  Recommendation: Update AC500 V3 PLC firmware to version 3.9.0 via Automation Builder 2.9.0. No workarounds are available; patching is the only remediation. 

• 3ADR011525 – ABB Automation Builder Gateway for Windows with Insecure Defaults 
  CVE: CVE-2024-41975 | CVSS v3.1: 5.3 | CVSS v4.0: 6.9 
  The Automation Builder Windows gateway component listens on all network adapters on port 1217 by default, allowing unauthenticated remote attackers to discover connected AC500 PLCs. While PLC user management prevents direct access if enabled, this exposes PLC network topology to potential attackers. 
  Recommendation: Upgrade to Automation Builder 2.9.0 or later, which defaults the gateway to local access only. As an immediate workaround, set LocalAddress=127.0.0.1 in the [CmpGwCommDrvTcp] section of the gateway configuration file and restart the gateway service. 

Foxguard Insight: The higher-severity AC500 V3 finding involves CODESYS protocol access to PKI key material. If an attacker can read and write certificates and keys on a PLC, they undermine trust in everything that depends on those credentials—a consequence that goes beyond simple availability impact. The gateway discovery issue is lower-scored but operationally significant; topology exposure is frequently the groundwork for targeted attacks on OT infrastructure. Both issues are resolved by the same firmware update. 

Mitsubishi Electric 

Mitsubishi Electric published two advisories this month affecting Ethernet modules and CNC controllers. 

• Multiple Denial-of-Service Vulnerabilities in MELSEC iQ-F Series EtherNet/IP Module and Ethernet Module 
  CVE: CVE-2026-1874, CVE-2026-1875, CVE-2026-1876 | CVSS v4.0: 8.7 (no v3.1 score published) 
  Three denial-of-service vulnerabilities in the Ethernet function of MELSEC iQ-F Series modules allow a remote unauthenticated attacker to trigger uncontrolled receive buffer consumption via continuous UDP packets, causing a denial-of-service condition that requires a manual system reset to recover. Affects FX5-ENET/IP and FX5-EIP variants. 
  Recommendation: Update FX5-ENET/IP firmware to v1.107 or later for CVE-2026-1874. Fixed versions for FX5-EIP are scheduled for future release; no fix is planned for CVE-2026-1876. For all affected products: deploy firewalls or VPNs to prevent unauthorized access, apply IP filter functions to restrict access to trusted hosts, and restrict physical access to the hardware. 

• Denial-of-Service Vulnerability in Mitsubishi Electric CNC Series 
  CVE: CVE-2025-2399 | CVSS v3.1: 5.9 (no v4.0 score published) 
  A remote unauthenticated attacker can send specially crafted packets to TCP port 683, causing an out-of-bounds memory read and triggering an emergency shutdown on affected CNC controllers. A system reset is required for recovery. Affects M800V/M80V, M800/M80/E80, C80, M700V/M70V/E70 Series, and NC Trainer2 products. 
  Recommendation: Apply fixed firmware where available (M800V/M80V: version BC or later; M800/M80/E80: version FN or later). No fix is currently available for C80, M700V/M70V/E70, or NC Trainer2. For all products: deploy firewalls and VPNs, apply IP filtering on supported models, and restrict physical access. 

Foxguard Insight: Both advisories describe denial-of-service conditions that require manual recovery—in a production environment, that means unplanned downtime and a field visit. Several CNC product families have no fix available, and reachability of TCP port 683 from untrusted systems is the full extent of the exposure. Verify firewall rules are actively enforced rather than assumed and confirm IP filtering is applied on models that support it. 

Rockwell Automation 

Rockwell published one advisory this month—a carried-forward update to a long-standing critical vulnerability on the CISA Known Exploited Vulnerabilities catalog. 

• PN1550 – Authentication Bypass Vulnerability in Logix Controllers 
  CVE: CVE-2021-22681 | CVSS v3.1: 10.0 (no v4.0 score published) 
  A private key used by Studio 5000 Logix Designer to verify authenticity of Logix controller communications can be extracted, allowing a remote unauthenticated attacker to bypass authentication and make unauthorized changes to controller configuration and application code. No patch is available. Affects CompactLogix, ControlLogix, GuardLogix, DriveLogix, FlexLogix, SoftLogix, and associated RSLogix 5000 / Studio 5000 software. 
  Recommendation: Deploy CIP Security where supported; block TCP port 44818 from outside the ICS network; isolate controllers behind firewalls; use VPNs for remote access; monitor for unauthorized controller changes via FactoryTalk AssetCentre. 

Foxguard Insight: CVE-2021-22681 has been on the CISA KEV catalog since 2022 and remains unpatched. Its continued presence in monthly updates is a prompt to verify—not assume—that mitigations are still active. CIP Security deployment and TCP port 44818 restriction are the primary controls, but both need to be confirmed on live assets. If the affected Logix families in your environment haven’t been audited recently for network access paths, that work belongs on the list. 

CISA 

CISA released twelve ICS advisories this month, spanning building automation, SCADA platforms, industrial serial gateways, refrigeration systems, power monitoring, and energy infrastructure. 

• ICSA-26-069-03 – Honeywell IQ4x BMS Controller 
  CVE: CVE-2026-3611 | CVSS v3.1: 10.0 (no v4.0 score published) 
  When no user accounts have been created on Honeywell IQ4x BMS controllers, the full web HMI is accessible without authentication, allowing any remote attacker to create administrator accounts, gain full read/write control of HVAC systems, access sensitive configuration data, and cause denial-of-service conditions. A public proof-of-concept exploit exists. No patch is currently available. 
  Recommendation: Create a web user account via the U.htm interface immediately to force-enable authentication. Isolate all BMS devices in firewalled, segmented networks; disable remote access unless strictly necessary; audit for any internet-exposed IQ4x devices. 

• ICSA-26-055-01 – InSAT MasterSCADA BUK-TS 
  CVE: CVE-2026-21410, CVE-2026-22553 | CVSS v3.1: 9.8 (no v4.0 score published) 
  SQL injection (CVE-2026-21410) and OS command injection (CVE-2026-22553) vulnerabilities in InSAT MasterSCADA BUK-TS are both remotely exploitable without authentication, providing separate paths to arbitrary code execution on the SCADA platform. 
  Recommendation: Apply updates from InSAT. Restrict web interface access to trusted IP addresses; isolate MasterSCADA systems behind firewalls; disable web interface access where not required; monitor for unauthorized access attempts. 

• ICSA-26-069-02 – Lantronix EDS3000PS and EDS5000 
  CVE: CVE-2025-67039, CVE-2025-70082, CVE-2025-67041 (EDS3000PS); CVE-2025-67034 through CVE-2025-67038 (EDS5000) | CVSS v3.1: 9.8 (no v4.0 score published) 
  Hard-coded passwords, missing authentication for critical functions, and relative path traversal in Lantronix EDS3000PS and EDS5000 industrial serial-to-Ethernet device servers could allow an unauthenticated remote attacker to gain full device access, traverse file systems, or cause denial-of-service conditions. 
  Recommendation: Apply available firmware updates from Lantronix. Restrict network access, place devices behind firewalls and segment from IT networks, disable unused services, and change default credentials immediately. 

• ICSA-26-057-01 – Johnson Controls Frick Controls Quantum HD 
  CVE: CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660 | CVSS v3.1: 9.1 (no v4.0 score published) 
  Six vulnerabilities in Frick Controls Quantum HD firmware v10.22 and earlier can lead to pre-authentication remote code execution, information leakage, or denial of service. Vulnerability types include OS command injection, code injection, relative path traversal, and plaintext storage of a password. 
  Recommendation: Update firmware to version 10.23 or later. Minimize network exposure; isolate refrigeration control systems behind firewalls; use VPNs for any required remote access. 

• ICSA-26-050-02 – Valmet DNA Engineering Web Tools 
  CVE: CVE-2025-15577 | CVSS v3.1: 8.6 (no v4.0 score published) 
  A path traversal vulnerability in Valmet DNA Engineering Web Tools versions C2022 and earlier allows an unauthenticated remote attacker to manipulate the web maintenance service URL and read arbitrary files from the server, potentially exposing credentials and configuration data from the Valmet DNA automation platform. 
  Recommendation: Contact Valmet automation customer service for the available fix. Minimize network exposure of DNA Engineering Web Tools; ensure the web maintenance service is not internet-accessible; restrict to trusted hosts via firewall rules and use VPNs for remote access. 

• ICSA-26-050-01 – EnOcean SmartServer IoT 
  CVE: CVE-2026-20761, CVE-2026-22885 | CVSS v3.1: 8.1 (CVE-2026-20761); no v4.0 score published 
  A command injection vulnerability in EnOcean SmartServer IoT v4.60.009 and prior allows a remote unauthenticated attacker to achieve arbitrary OS command execution via crafted LON IP-852 management messages. A secondary memory corruption/leak vulnerability provides a further path to device compromise via malformed IP-852 messages. 
  Recommendation: Update SmartServer IoT firmware to v4.70 or later. Isolate devices behind firewalls; restrict LON IP-852 management interface access to trusted hosts; use VPNs for any required remote access. 

• ICSA-26-048-03 – GE Vernova Enervista UR Setup 
  CVE: Multiple (see advisory) | CVSS v3.1: 7.8 (no v4.0 score published) 
  Multiple vulnerabilities in GE Vernova Enervista UR Setup engineering software could allow a local attacker to execute arbitrary code via a malicious configuration file, potentially enabling unauthorized modification of relay protection settings in energy infrastructure. 
  Recommendation: Update to the latest available version. Only open configuration files from trusted sources. Restrict access to relay engineering workstations and apply network segmentation between engineering and protection relay networks. 

• ICSA-26-048-02 – Delta Electronics ASDA-Soft 
  CVE: Multiple (see advisory) | CVSS v3.1: 7.8 (no v4.0 score published) 
  Out-of-bounds read/write and heap-based buffer overflow conditions in Delta Electronics ASDA-Soft servo drive configuration software could allow an attacker to execute arbitrary code on the engineering workstation via a malicious project file. 
  Recommendation: Update ASDA-Soft to the latest available version. Only open project files from trusted sources. Restrict access to engineering workstations and apply standard OT network segmentation. 

• ICSA-26-064-01 – Delta Electronics CNCSoft-G2 
  CVE: CVE-2026-3094 | CVSS v3.1: 7.8 (no v4.0 score published) 
  An out-of-bounds write vulnerability (CWE-787) in Delta Electronics CNCSoft-G2 could allow arbitrary code execution when a user opens a malicious project file. This vulnerability requires local user interaction and is not remotely exploitable. 
  Recommendation: Update CNCSoft-G2 to the latest available version. Only open project files from trusted sources. Isolate engineering workstations from business networks. 

• ICSA-26-062-03 – Hitachi Energy RTU500 Product 
  CVE: CVE-2026-1773 and additional CVEs (see advisory) | CVSS v3.1: 7.5 (no v4.0 score published) 
  The most severe vulnerability (CVE-2026-1773, CWE-184) could allow a remote unauthenticated attacker to cause a denial-of-service condition or exploit memory corruption in RTU500 series devices used in critical energy infrastructure. Additional CVEs affect IEC 60870-5-104 and IEC 61850 communication functionality. 
  Recommendation: Apply firmware updates per RTU500 model as listed in the Hitachi Energy advisory. Restrict management interface access; use IEC 62351-3 TLS for secure communications where supported; apply network segmentation and firewall rules. 

• ICSA-26-057-09 – Yokogawa CENTUM VP R6, R7 CVE: CVE-2025-1924, CVE-2025-48023 | CVSS v3.1: 6.9 (CVE-2025-1924); 6.5 (CVE-2025-48023); no v4.0 score published 
  Two vulnerabilities in the Vnet/IP Interface Package for Yokogawa CENTUM VP R6 and R7 (versions R1.07.00 and earlier). CVE-2025-1924 could allow a remote attacker to cause denial-of-service or execute arbitrary programs via maliciously crafted packets. CVE-2025-48023 could allow process termination of the Vnet/IP software stack via crafted packets. 
  Recommendation: Update the Vnet/IP Interface Package to R1.08.00 or later. Apply network segmentation to isolate CENTUM VP systems; restrict access to Vnet/IP communication paths; monitor for abnormal DCS network traffic. 

• ICSA-26-062-02 – Hitachi Energy Relion REB500 Product 
  CVE: CVE-2026-2459, CVE-2026-2460 | CVSS v3.1: 6.8 (no v4.0 score published) 
  Two privilege-related vulnerabilities (CWE-267) in Hitachi Energy Relion REB500 protection relay versions up to 8.3.3.0 allow a remote authenticated attacker to leverage elevated privileges to perform unsafe actions, potentially disrupting protection functions in energy grid deployments. 
  Recommendation: Apply Hitachi Energy firmware updates as listed in the advisory. As a workaround, disable the Installer role and enable it only during firmware update processes. Restrict network access to protection relay management interfaces. 

Foxguard Insight: This month’s CISA list is operationally varied—building automation, refrigeration, power monitoring, energy protection relays, and industrial serial infrastructure all appear together. Three advisories have no patch available, and the Honeywell IQ4x carries a public proof-of-concept. For that advisory, creating a web user account is a single action that removes the unauthenticated access condition immediately. The cluster of project-file vulnerabilities across GE Vernova, Delta ASDA-Soft, and Delta CNCSoft-G2 is worth treating as a category: the trust model around how files enter engineering environments deserves the same attention as the software running them. 

Actionable Recommendations 

March’s disclosures span controllers, engineering software, network infrastructure, building automation, refrigeration systems, and energy protection devices. Several have no available patch, which shifts the immediate priority to exposure control alongside scheduled remediation. To reduce risk and maintain operational stability, Foxguard recommends: 

• Close pre-authentication exposure first. Honeywell IQ4x (CVSS 10.0, public PoC, no patch), InSAT MasterSCADA (CVSS 9.8), Lantronix EDS (CVSS 9.8), and the Johnson Controls Frick Quantum HD all present unauthenticated remote attack paths. Verify network placement and isolation for each. For IQ4x specifically, creating a web user account via U.htm removes the exposure immediately. 

• Verify Rockwell PN1550 mitigations are still active. CVE-2021-22681 has no patch and sits on the CISA KEV catalog. Confirm TCP port 44818 is blocked from outside the ICS network and CIP Security is deployed where supported. Confirm on live assets, not change records. 

• Work through the Siemens SINEC OS backlog across all three branches. Three separate advisories covering V3.1, V3.2, and V3.3 appeared in one month. Treat them as a coordinated remediation effort. A prior update to one branch doesn’t cover the others. Prioritize devices at network boundaries first. 

• Treat the FortiGate NGFW advisories on APE1808 as firewall-class risk. SSA-975644 and SSA-770770 affect zone separation devices. Apply Fortinet upstream workarounds now and schedule firmware upgrade to V7.4.7. 

• Restrict file intake paths into engineering environments. GE Vernova Enervista, Delta ASDA-Soft, Delta CNCSoft-G2, Schneider Automation Expert, and Power Build Rapsody all involve malicious project file exploitation this month. Access-controlled repositories, integrity checking, and removing informal transfer routes are practical controls that apply across all of them. 

• Patch and verify across the Schneider EcoStruxure set. ProLeiT-2025-001 is the only remediation for a CVSS 10.0 vulnerability. The FlexNet Publisher update now includes Machine Expert and Machine Expert Twin. Verify deployment against actual assets. 

During rollout, confirm patch versions on live assets rather than relying on change records alone, watch for unexpected service disruptions after restart, and keep segmentation controls in place until remediation is confirmed complete. 

How Foxguard Can Help 

March covers a lot of ground—protection relays, CNC controllers, engineering workstations, serial gateways, and building automation systems all in one month. Translating that into a working remediation plan means knowing which assets are actually in your environment, which patches are ready to deploy, and how to sequence the work without creating operational risk in the process. 

Foxguard works with operators to assess vulnerability impact against real asset inventories, build remediation plans that fit operational windows, and put interim controls in place where patching has to wait. Our solutions are built around the practical constraints of ICS and OT environments—where an unplanned outage has direct operational consequences and patch deployment rarely follows a straight line. 

FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture. 

FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk. 

FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance. 

FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security. 

FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity. 

Foxguard works alongside operators to make sense of a patch landscape that can quickly become overwhelming, providing analysis and context so teams can prioritize patching and hardening efforts effectively. 

Stay Ahead of Threats 

March’s advisories are a practical test of how well an organization knows its own environment. A BMS controller with a public exploit and no patch, a four-year-old authentication bypass still sitting open, a PLC web server with no firmware fix on the horizon—taken individually, none of these are new categories of risk. Taken together, they put real pressure on asset visibility and network boundary discipline. 

The teams that handle this well have done the groundwork: they know what’s deployed, what’s reachable, and they make deliberate calls about what gets patched in the current window versus what gets mitigated until the next. Consistent execution of that process is what stops risk from stacking up. 

If your team needs support turning this month’s advisories into a prioritized, defensible action plan, reach out to our experts today. 

Your security is our priority. Stay vigilant and stay protected.