// #critical-infrastructure
12 articles
Splunk Enterprise CVE-2026-20253 (CVSS 9.8): No-Authentication RCE Exposes SIEM Servers via PostgreSQL Sidecar
A critical remote code execution vulnerability in Splunk Enterprise allows unauthenticated attackers to run arbitrary commands on SIEM servers by targeting an exposed PostgreSQL sidecar service that bypasses all application-level authentication. CVE-2026-20253, rated CVSS 9.8, affects Splunk Enterprise 9.2.x and earlier on both Windows and Linux — a particularly damaging target given SIEM's visibility across the entire security estate.
Food and Beverage Sector Ransomware: Why Critical Infrastructure Classification Has Not Improved Security Outcomes
The US food and agriculture sector was designated critical infrastructure in 2003. In 2026, ransomware attacks against it are rising 80 per cent year on year. The gap between regulatory classification and actual security maturity reflects structural problems in how cybersecurity investment decisions are made in distributed, margin-sensitive industries.
Qilin Claims Sysco on Ransomware Leak Site — World's Largest Food Distributor Faces Deadline
Qilin ransomware operators have listed Sysco Corporation — the world's largest foodservice distribution company — on their dark web extortion site, claiming to hold data extracted from the company's networks. Sysco has not confirmed a breach. The listing appears amid an 80 per cent rise in ransomware pressure against the food and beverage sector in Q2 2026.
Eclipse BaSyx ICS Platform: CVE-2026-7411 CVSS 10.0 Path Traversal RCE Threatens Industrial Asset Administration
Two critical vulnerabilities in Eclipse BaSyx V2 — the open-source Industrial Internet of Things Asset Administration Shell implementation used in Industry 4.0 infrastructure — allow an unauthenticated attacker to achieve remote code execution and bypass network segmentation. CVE-2026-7411 (CVSS 10.0) enables arbitrary file write on the BaSyx server; CVE-2026-7412 (CVSS 8.6) enables blind SSRF that can bypass OT network isolation. Patches are available in BaSyx V2 milestone-10.
Five Eyes Advisory: China-Nexus Volt Typhoon and Flax Typhoon Using SOHO Router Botnets to Pre-Position in Critical Infrastructure
A joint advisory from CISA, NCSC-UK, the Australian Signals Directorate, and Four Eyes partners confirms that China-linked threat actors including Volt Typhoon and Flax Typhoon are systematically compromising small-office and home-office routers to build operational relay networks for espionage and pre-positioned attacks against critical national infrastructure. Organisations should audit edge device inventories and enforce firmware update policies.
Lotus Wiper Targets Venezuelan Energy Infrastructure in ICS-Aware Sabotage Campaign
A destructive wiper malware tracked as Lotus Wiper has been deployed against Venezuelan state energy company PDVSA and associated electricity generation infrastructure. Unlike generic wipers, Lotus Wiper includes ICS-aware modules that identify and corrupt engineering workstation configurations, HMI databases, and OT historian data before wiping. The campaign represents the most targeted wiper deployment against Latin American energy infrastructure on record.
Itron Smart Grid Giant Discloses Internal IT Breach via SEC Filing — Critical Infrastructure Supplier Affected
Itron, the world's largest smart meter and grid management vendor, has disclosed a breach of its internal IT network in an SEC 8-K filing. Attackers accessed systems supporting grid data analytics and workforce management. No operational technology networks were confirmed compromised, but the supplier-to-utility trust relationship demands immediate third-party risk assessment.
CVE-2026-6074: Unauthenticated Path Traversal in Intrado 911 Emergency Gateway Threatens PSAP Call Routing
CISA ICS advisory ICSA-26-113-06 discloses CVE-2026-6074, a CVSS 9.1 path traversal flaw in Intrado 911 Emergency Gateway versions 5.x–7.x that allows unauthenticated network access to read, write, and delete arbitrary files on the management interface. Exploitation could modify 911 call routing rules or disable emergency call processing. Intrado patched on March 2 2026 and is directly contacting affected PSAP operators.
CIRCIA Final Rule Expected May 2026: What Critical Infrastructure Operators Must Do Now
CISA is expected to publish the long-awaited CIRCIA final rule in May 2026, mandating 72-hour cyber incident reporting and 24-hour ransomware payment reporting for critical infrastructure sectors. With weeks remaining, organisations that have not started preparing face significant compliance and legal exposure when the rule takes effect.
Iranian-Affiliated Hackers Target US Water, Energy and Government Facilities via Internet-Exposed PLCs
A joint advisory from CISA, FBI, NSA, and the Department of Energy warns that Iranian-affiliated APT actors have been compromising internet-facing programmable logic controllers at water utilities, energy facilities and local government sites since at least March 2026. Operators should treat any internet-exposed OT device as potentially compromised and implement immediate network isolation.
CISA Publishes Dual ICS Advisories Covering Critical Flaws in Rockwell and Siemens OT Products
CISA released two industrial control system advisories on 31 March — ICSA-26-090-01 and ICSA-26-090-02 — covering critical and high-severity vulnerabilities in Rockwell Automation ControlLogix and Siemens SIMATIC S7 products. The advisories follow a pattern of stepped-up CISA ICS disclosure activity in March and arrive against a backdrop of active Iranian-affiliated targeting of operational technology environments.
German Police Physically Visit Companies to Warn of Critical PTC Windchill RCE — No Patch Available
A critical unauthenticated remote code execution vulnerability in PTC Windchill and FlexPLM — industrial PLM software used across manufacturing, aerospace, and defence — prompted German federal and state police to physically dispatch officers to affected companies on the weekend of 27 March. No patch was available at time of the emergency response. PTC has provided a temporary workaround via Apache/IIS rule modification while developing a permanent fix.
Commentary tagged #critical-infrastructure
Healthcare Ransomware Is a Structural Problem. The Gentelman Surge Is Not a Surprise.
The Gentelman ransomware surge hitting healthcare this week follows a pattern that has repeated with near-mechanical regularity for five years. The security industry has correctly diagnosed the problem: legacy infrastructure, high willingness to pay, broad RMM attack surface, and regulatory environments that prioritise availability over security. The diagnosis is correct. The treatment is not happening fast enough.
CipherWatch Editorial
Security Intelligence Platform
Ransomware in Healthcare Is a Patient Safety Crisis, Not an IT Problem
The ransomware attack on ChipSoft paralysing 80% of Dutch hospitals and the Anubis attack on Signature Healthcare this week are not data breach incidents with clinical inconvenience as a side effect. They are patient safety events. The healthcare sector's continued treatment of ransomware as a cybersecurity problem rather than a clinical risk is costing lives.
CipherWatch Editorial
Security Intelligence Platform