Welcome to the Daily OT Security News for April 21, 2026. Today’s briefing highlights critical developments across operational technology and industrial cybersecurity, including emerging malware threats targeting water infrastructure, newly disclosed vulnerabilities in legacy-to-IP bridging devices, urgent patch directives from CISA, ransomware group alliances expanding industrial-scale attacks, and a landmark acquisition shaping unified IoT/OT security platforms. Stay informed on the frontlines of protecting critical infrastructure and connected environments.
ZionSiphon Malware Targets Water Infrastructure OT Systems
Darktrace researchers have uncovered ZionSiphon, a novel malware strain designed to disrupt operational technology systems within Israel’s water sector. This malware uniquely combines traditional IT infection tactics with industrial protocol targeting—such as Modbus, DNP3, and S7comm—to manipulate chlorine dosing and pressure controls in water treatment facilities. Although a logic flaw currently limits its immediate impact, ZionSiphon’s design underscores the growing adversarial focus on causing physical disruption to critical water infrastructure.
Source: Infosecurity Magazine
Forescout BRIDGE:BREAK Research Uncovers 22 New Vulnerabilities in Serial-to-IP Converters
Forescout’s Vedere Labs released the BRIDGE:BREAK report revealing 22 new vulnerabilities in serial-to-IP converters from Lantronix and Silex, devices extensively used to connect legacy serial equipment to IP networks in utilities, manufacturing, and healthcare sectors. These flaws enable remote code execution, device takeover, firmware tampering, denial of service, and manipulation of sensor data, with many devices found exposed online via Shodan scans—amplifying risks of lateral intrusion into OT environments.
Source: Business Wire / Forescout
CISA Adds 8 Actively Exploited Vulnerabilities to KEV Catalog, Including Three Cisco SD-WAN Flaws
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog with eight actively exploited flaws, notably three in Cisco Catalyst SD-WAN Manager. Federal agencies must remediate these Cisco vulnerabilities by April 23, 2026, reflecting the urgent threat landscape. Additional catalog additions comprise critical vulnerabilities in PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE, and Zimbra Collaboration Suite.
Source: The Hacker News
Vect Ransomware Group Formalizes Alliance with BreachForums and TeamPCP to Scale Industrial RaaS Operations
Researchers report that the Vect ransomware group has established a formal partnership with the BreachForums marketplace and TeamPCP hacking group, creating a highly industrialized ransomware-as-a-service model. Vect’s C++ ransomware targets multiple platforms using ChaCha20-Poly1305 encryption, while TeamPCP supplies compromised CI/CD pipeline access, facilitating deep enterprise and OT supply chain attacks. This alliance opens ransomware operations to BreachForums’ vast user base, lowering barriers for attacks against critical infrastructure.
Source: Industrial Cyber
ServiceNow Completes $2.85B Acquisition of Armis, Creating Unified IoT/OT Security and Workflow Platform
ServiceNow has finalized its $2.85 billion acquisition of Armis, integrating Armis Centrix™ into its AI Platform to deliver a unified security exposure management and operations stack. This strategic move combines Armis’ expertise in IT, OT, IoT, and medical device security with ServiceNow’s automation workflows, addressing the critical gap between threat visibility and automated remediation. The acquisition signals a major consolidation in the IoT/OT security market and rising demand for integrated asset intelligence.
Source: Armis
Thank you for reading today’s briefing. As threats continue to evolve rapidly in OT and connected environments, we encourage all professionals to remain vigilant, prioritize timely patching, and maintain robust defense strategies to safeguard critical infrastructure.
