Daily OT Security News: July 02, 2026

Today’s OT/ICS threat landscape features two actively exploited vulnerabilities targeting widely deployed engineering and serial-to-IP platforms, alongside critical advisories for digital signage controllers and EV charging management systems. While Rockwell Automation has shipped broad patches across controllers and software, exploitation pressure on internet-exposed and poorly segmented assets remains high. Operators should prioritize KEV-listed issues, harden remote management paths, and validate monitoring for post-exploitation persistence.

PTC Windchill/FlexPLM RCE Exploited; Webshells Observed, CISA Adds to KEV

CVE-2026-12569 allows unauthenticated remote code execution in PTC Windchill and FlexPLM via improper input validation, with attackers deploying persistent JSP webshells for command execution and data exfiltration. CISA added the flaw to the KEV catalog on June 26 with a June 28 remediation deadline; PTC released indicators of compromise and warned of heightened activity, while German police reportedly alerted firms to imminent attacks. This marks the first PTC product inclusion in the KEV, underscoring risk to automotive, aerospace, defense, and heavy machinery PLM environments.

Source: SecurityWeek

Lantronix EDS5000 Command Injection Actively Exploited, Enables Root RCE

CVE-2025-67038 in Lantronix EDS5000 device servers enables unauthenticated OS command injection via a username parameter, executing with root privileges. The issue, part of Forescout’s BRIDGE:BREAK set, has been added to CISA’s KEV (June 23; deadline June 26) amid thousands of internet-exposed devices—many in the U.S.—and could enable sensor manipulation, malware deployment, or data exfiltration across industrial and healthcare networks. Immediate isolation and patching are advised for serial-to-IP gateways exposed to untrusted networks.

Source: SecurityWeek

CISA Warns on Daktronics Controller Flaws Allowing Root FS Access and Code Execution

CISA detailed three vulnerabilities in Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 firmware: CVE-2026-28701 path traversal enabling unauthenticated root-level filesystem access (CVSS 9.3), CVE-2026-33560 unrestricted file upload to run arbitrary binaries (CVSS 8.4), and CVE-2026-31928 hard-coded credentials granting full system access (CVSS 9.3). Affected systems power highway signs, billboards, and scoreboards across multiple sectors. Daktronics advises updating to v8.117.x.x, v9.43.x.x, or v10.34.x.x and changing default passwords.

Source: CISA

Critical EVoke CSMS Flaws Enable Station Impersonation and Session Hijacking

CISA disclosed critical issues (CVSS 9.4) in EVoke Systems’ Charging Station Management System: CVE-2026-40702 (missing WebSocket authentication enabling station impersonation and privilege escalation), CVE-2026-50176 (no rate limiting enabling DoS/brute-force), and CVE-2026-54479 (predictable session IDs allowing session hijacking). Successful exploitation can grant unauthorized administrative control over EV charging stations or disrupt charging services. EVoke is working with OEMs to migrate to OCPP Security Profiles 2/3 to harden communications.

Source: CISA

Rockwell Automation Ships Patches Across Controllers and Software; No Exploitation Reported

Rockwell patched multiple high/critical flaws, including authentication bypass and DoS in FactoryTalk Historian, improper API authorization in FactoryTalk Analytics PavilionX enabling unauthorized admin actions, DoS causing non-recoverable faults in CompactLogix/ControlLogix/GuardLogix controllers, DoS and unauthenticated web interface password changes in Flex I/O Ethernet/IP adapters, and a DoS in RSLinx via a third-party component. CISA issued corresponding advisories, and no active exploitation has been reported. Asset owners should prioritize updates and validate controller availability post-patch.

Source: SecurityWeek

Recommended actions: patch KEV-listed PTC and Lantronix assets immediately; hunt for JSP webshells and unusual PLM activity; isolate or remove internet exposure for serial-to-IP gateways; apply Daktronics firmware updates and rotate/remove default credentials; harden EV charging backends with OCPP Security Profiles 2/3, rate limiting, and strong session management; and deploy Rockwell updates with maintenance windows and failover plans. Enforce network segmentation, least-privilege access, multi-factor authentication on admin interfaces, and continuous monitoring for anomalous controller behavior and outbound data flows.

Share this