Today’s OT security briefing highlights significant developments in IoT and industrial cybersecurity, including large-scale botnet campaigns, persistent backdoors in critical infrastructure devices, and newly discovered hardware vulnerabilities. Additionally, expert analysis challenges sensational OT malware reports, emphasizing the need for careful technical evaluation. Finally, a critical cloud platform vulnerability affecting IoT management underscores the ongoing risks in connected environments.
Chinese State-Linked Groups Build Massive IoT and SOHO Botnets
A joint advisory from ten nations, including the NSA and Five Eyes partners, warns that Chinese state-sponsored groups are compromising IoT and SOHO devices to create large covert botnets. Devices such as smart TVs, cameras, DVRs, and routers are targeted, with the Raptor Train botnet reportedly controlling over 200,000 devices. These botnets facilitate DDoS attacks, malware deployment, and data theft while obscuring attacker locations. The advisory urges organizations to apply patches, enforce strong credentials, and monitor indicators of compromise.
FIRESTARTER Backdoor Persists on Federal Cisco Firepower Devices
CISA and the UK NCSC disclosed that a federal civilian agency’s Cisco Firepower ASA device was compromised with the FIRESTARTER backdoor exploiting critical vulnerabilities CVE-2025-20333 and CVE-2025-20362. The malware persists through firmware updates and reboots by altering the startup mount list, evading standard remediation. Post-exploitation capabilities include command execution, packet capture, VPN AAA bypass, and syslog suppression. An emergency directive mandates federal agencies to verify removal, with only a hard power cycle proven effective.
Kaspersky ICS CERT Identifies Critical BootROM Flaw in Qualcomm Snapdragon
Kaspersky ICS CERT revealed CVE-2026-25262, a hardware-level vulnerability in Qualcomm Snapdragon chipsets affecting a wide range of consumer and industrial devices. The flaw exists in the Sahara protocol used during Emergency Download Mode, allowing attackers with brief physical access to bypass secure boot and implant persistent backdoors. Impacted chipsets include MDM9x07, MSM8916, and others commonly found in smartphones and automotive components. The vulnerability raises significant supply chain security concerns and was presented at Black Hat Asia 2026.
Nozomi Networks Finds ZionSiphon OT Malware Non-Functional
Nozomi Networks Labs analyzed the ZionSiphon malware, which had been reported as targeting water treatment and desalination facilities. Their technical assessment concluded that ZionSiphon is a non-functional proof-of-concept with fabricated configuration paths, flawed geofencing logic, and inconsistent obfuscation. The malware’s Modbus interactions lack facility-specific register mappings, and physical safety controls would mitigate any potential impact. This case highlights the importance of rigorous technical scrutiny in evaluating OT threat claims.
Microsoft Patches Critical Privilege Escalation in Azure IoT Central
Microsoft addressed CVE-2026-21515, a critical vulnerability in Azure IoT Central that permits authorized attackers to escalate privileges via sensitive information exposure. The flaw affects the cloud-based IoT management platform widely used by enterprises to monitor and control IoT deployments. Classified with a CVSS score of 9.9, the vulnerability has a network attack vector and low complexity, posing high risks to confidentiality, integrity, and availability. Users are advised to apply the latest security updates promptly.
