Daily OT Security News: April 23, 2026
Welcome to today’s briefing on operational technology (OT) security developments. This edition covers critical vulnerabilities, emerging botnet threats, coordinated advisories, and strategic guidance from leading cybersecurity agencies. Stay informed on the latest risks and mitigation strategies affecting industrial control systems, IoT devices, and critical infrastructure worldwide.
BRIDGE:BREAK: Forescout Uncovers 22 Vulnerabilities in OT Serial-to-IP Converters
Forescout Technologies has revealed 22 previously unknown vulnerabilities in serial-to-IP converters from Lantronix and Silex Technology, devices that connect legacy OT equipment to modern IP networks. These flaws allow remote code execution, authentication bypass, firmware tampering, denial-of-service, and manipulation of sensor data, exposing thousands of devices online. Notably, such converters have been weaponized in past infrastructure attacks, including incidents in Ukraine (2015) and Poland (2025). Security teams are urged to apply firmware updates, enforce network segmentation, and enhance monitoring of these often-overlooked bridge devices.
Source: Industrial Cyber
Five Eyes + Six Nations Warn of Chinese IoT Botnets Used to Evade Detection
The UK’s National Cyber Security Centre, alongside agencies from the US, Australia, Canada, Germany, Japan, and others, issued a joint advisory about China-linked threat actors building massive proxy networks from hijacked consumer IoT devices. These botnets, including Raptor Train and KV-Botnet, leverage over 260,000 compromised routers, cameras, and NAS devices to mask espionage and intrusion campaigns targeting Western organizations. Traditional IP blocklists are ineffective due to the botnets’ dynamic node rotation. Organizations are advised to implement multi-factor authentication, comprehensive network mapping, dynamic threat feeds, and zero-trust security models.
Source: BleepingComputer
Mirai Botnet Actively Exploiting CVE-2025-29635 in End-of-Life D-Link Routers
Akamai’s Security Intelligence and Response Team has observed active exploitation of a command injection vulnerability (CVE-2025-29635) in discontinued D-Link DIR-823X routers. Attackers exploit this flaw via crafted POST requests to achieve remote code execution and deploy a Mirai variant called “tuxnokill.” The campaign also chains other vulnerabilities affecting TP-Link and ZTE devices. Despite ongoing attacks, this vulnerability is not yet listed in CISA’s Known Exploited Vulnerabilities catalogue. Security teams should prioritize retiring end-of-life devices, monitoring unusual outbound traffic, and promptly applying patches, especially for IoT and edge infrastructure.
Source: Security Affairs
CISA and CERT-Bund Issue Coordinated Advisories on Actively Exploited Apache ActiveMQ Flaws
CISA and Germany’s CERT-Bund have jointly released advisories on multiple actively exploited vulnerabilities in Apache ActiveMQ, a critical message broker used in industrial and enterprise environments. CVE-2026-34197, rated CVSS 8.8, enables authenticated attackers to execute arbitrary code via the Jolokia JMX-HTTP bridge. Affected versions include Apache ActiveMQ prior to 5.19.4 and 6.0.0 before 6.2.3. Federal agencies must remediate under BOD 22-01, underscoring a broad attack campaign targeting message broker infrastructure across IT and OT-adjacent systems.
Source: GovPing / CISA
UK NCSC Warns of ‘Severe Cyber Threat’ Gap as AI Accelerates Disruptive Attacks on Critical Infrastructure
The UK National Cyber Security Centre has issued guidance highlighting a growing gap between escalating cyber threats and national resilience capabilities. Adversaries are increasingly leveraging advanced AI tools to conduct disruptive attacks against critical infrastructure and essential services. The NCSC frames cyber risk as a core business continuity and national security issue, urging leadership to invest in OT network segmentation, isolation protocols, and system rebuild rehearsals. With over 204 nationally significant cyber incidents recorded in the year to September 2025, more than double the previous year, proactive resilience measures are critical.
Source: Industrial Cyber / NCSC
Disclaimer: This briefing aggregates information from publicly available sources for informational purposes only. Readers should verify details independently before taking action.
