Today’s operational technology (OT) security landscape remains highly dynamic and challenging, with critical vulnerabilities, advanced persistent threats, and evolving attack techniques targeting IoT and OT environments. Organizations must prioritize zero trust architectures, timely patching, and comprehensive asset visibility to mitigate risks and maintain control over critical infrastructure.
Claroty Team82 Uncovers Critical RCE Vulnerabilities in EnOcean SmartServer IoT Platform
Claroty’s threat research team, Team82, has disclosed two critical vulnerabilities affecting EnOcean’s SmartServer IoT platform (versions 4.60.009 and earlier) that could allow unauthenticated remote attackers to gain full control over building management systems (BMS) and connected IoT devices. The first vulnerability, CVE-2026-20761 (CVSS 8.1), enables arbitrary command execution with root privileges via specially crafted LON IP-852 messages by exploiting improper validation of timezone strings passed to a system call. The second, CVE-2026-22885 (CVSS 3.7), leaks stack memory to bypass ASLR protections. Successful exploitation could grant attackers full root access to controllers, enabling manipulation of BMS logic and lateral movement to field devices, potentially disrupting HVAC, power, and environmental systems in manufacturing, defense, and data center facilities. EnOcean has released a patch, and users are strongly urged to update to SmartServer 4.6 Update 2 (v4.60.023) immediately.
Source: Industrial Cyber
CISA and Pentagon Release Joint Zero Trust Guidance for Operational Technology Environments
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Department of Defense, Department of Energy, FBI, and Department of State, has published a 28-page advisory titled Adapting Zero Trust Principles to Operational Technology (April 29, 2026). The guidance explicitly identifies Volt Typhoon, a Chinese state-sponsored threat actor, as actively targeting OT systems to compromise, escalate privileges, and maintain persistent access. The document aligns zero trust activities with the NIST Cybersecurity Framework and emphasizes layered security controls such as network segmentation, secure communication protocols, risk-based vulnerability management, and elimination of implicit trust in OT networks. CISA acting cyber chief Chris Butera highlighted that implementing Zero Trust architecture is critical to preventing incidents that could cause operators to lose visibility or control of essential systems.
Source: CISA / IC3.gov
CISA Flags Unpatched Data-Theft Vulnerability in NSA-Built GrassMarlin OT Network Analysis Tool
CISA issued ICS Advisory ICSA-26-118-01 for CVE-2026-6807, an XML External Entity (XXE) information-disclosure vulnerability in GrassMarlin, an OT network security tool originally developed and open-sourced by the NSA. Discovered by Dragos senior industrial pentester Grady DeRosa and confirmed by Rapid7’s Anna Quinn with a public proof-of-concept, the flaw allows a local attacker to deliver a crafted session file that leaks sensitive data from systems analyzing ICS and SCADA networks. Since GrassMarlin reached end-of-life in 2017 and its NSA GitHub repository is archived and read-only, no vendor patch will be issued. CISA recommends immediate retirement of active GrassMarlin deployments and isolation of legacy instances from live network segments. The public availability of a working exploit significantly elevates the risk beyond the CVSS 5.5 medium rating.
Source: The CyberSignal
LevelBlue SpiderLabs: Hotel IoT Smart Bikes Used as Launchpad for Admin Network Compromise and Oracle WebLogic RCE
LevelBlue SpiderLabs published research revealing how an IoT smart stationary bike in a hotel gym served as an initial access point during a penetration test, ultimately enabling remote code execution (RCE) on an Oracle WebLogic server within the property’s administrative network. The Technogym smart bike, accessible 24/7 without keycard authentication, exposed an unauthenticated web interface connected to the guest VLAN. Researchers exploited the lack of switch port security to pivot from the guest VLAN to administrative network segments, where path traversal vulnerabilities on two servers exposed sensitive file systems, including Linux passwd files. This attack mirrors tradecraft associated with the UNC3524 threat group, known for leveraging non-traditional infrastructure as persistent access points. The findings underscore the critical need for network segmentation, switch port security, and comprehensive IoT asset visibility in hospitality and enterprise environments.
Source: LevelBlue SpiderLabs
Darktrace AI Detects Mirai Botnet Infecting CCTV Camera at Canadian Logistics Firm
Darktrace published an analysis of a Mirai malware infection targeting an internet-facing DVR/CCTV camera operated by a Canadian logistics company. The Mirai botnet, first discovered in 2016, continuously scans the internet for vulnerable IoT devices to conscript them into botnets for large-scale DDoS attacks. Darktrace’s AI detected anomalous executable downloads, rare external connections, and large data transfers to an IP address in China — activity invisible to the client beyond a sluggish network. The attack lifecycle progressed through initial compromise, command-and-control communication, and DDoS participation before the camera was taken offline. This case highlights that IoT surveillance devices remain primary targets for Mirai and that AI-driven behavioral detection is essential given the absence of traditional endpoint security on such devices.
Source: Darktrace
This briefing was compiled by Viakoo on April 30, 2026.
