Today’s OT security landscape remains highly active, with coordinated campaigns and federal mandates reshaping how operators must prioritize visibility and rapid response. Threat actors continue to weaponize both legacy device weaknesses and supply-chain access, while regulators tighten requirements for OT/IoT telemetry and risk-based remediation.
CISA Issues Six ICS Advisories Including Critical Gardyn IoT Hub Flaws (CVSS 10.0)
On July 2, 2026, CISA published six ICS advisories that span multiple critical infrastructure sectors, highlighting a mix of high- and critical-severity flaws in widely deployed OT and IoT products. The most severe advisory (ICSA-26-183-03) affects the Gardyn IoT Hub, where three vulnerabilities — including CVE-2026-13768 (CVSS 10.0) — expose hard-coded credentials that permit unauthenticated attackers to invoke IoTHub Registry Manager functions, enumerate connection data for all managed devices, and execute arbitrary commands on connected systems. A separate advisory (ICSA-26-183-01) targets ST Engineering iDirect iQ-Series satellite terminals, disclosing an unauthenticated REST API that leaks authentication keys (CVE-2026-38059, CVSS 8.7) and a CSRF weakness that can force reboots (CVE-2026-38057), potentially causing denial-of-service in critical comms links. Additional advisories cover Mitsubishi Electric CNC Series, CubeSpace reaction wheels, and WHILL electric wheelchairs; Gardyn has implemented infrastructure-level mitigations and users should ensure devices can receive automatic firmware updates, while ST Engineering iDirect recommends upgrading to firmware 4.5.2.2 and isolating vulnerable devices until patched.
Source: CISA ICS Advisory ICSA-26-183-03 – Gardyn IoT Hub
FortiBleed Campaign Linked to INC and Lynx Ransomware; 430,000 FortiGate Firewalls Targeted
Investigations by SOCRadar link the FortiBleed credential-theft campaign to affiliates of the INC and Lynx ransomware operations, exposing a large-scale supply-side compromise of network security appliances. Attackers deployed a bespoke ‘FortiGate Sniffer’ packet-capture tool on compromised FortiGate firewalls to harvest VPN credentials directly from traffic, targeting more than 430,000 FortiGate instances and installing sniffers on approximately 19,000 devices. Researchers documented over 500 command-and-control/operational servers, evidence that FortiBleed victims overlap with INC leak victims, and a persistent backdoor account with the username ‘adminin’; operators also leveraged an undisclosed Nextcloud zero-day to move laterally post-compromise. Organizations running FortiGate appliances should immediately audit for unauthorized accounts such as ‘adminin’, review VPN session logs for anomalous credential use, and apply all vendor patches and recommended hardening controls without delay.
Source: Telefónica Tech Cybersecurity Weekly Briefing, July 3, 2026
LSHIY Campaign Exploits Default IoT Credentials in Large-Scale Microsoft 365 Password Spray
Security teams have observed the LSHIY campaign leveraging factory-default credentials on unmanaged home routers and IoT devices to seed a distributed proxy network for large-scale Microsoft 365 password spray attacks. The adversary’s infrastructure of residential proxies masks origin traffic while applying low-frequency, per-account attempts to evade lockout thresholds and SIEM detection, and it abuses legacy Basic Authentication and the Device Code OAuth flow that remain active in many tenant configurations. Affected verticals include manufacturing, legal services, and education, illustrating how insecure edge devices can enable broader identity compromise across IT/OT-converged environments. Recommended mitigations are to disable legacy authentication channels, enforce phishing-resistant MFA, audit and restrict Device Code Flow usage, and ensure all routers and IoT devices have non-default credentials from initial deployment.
Source: Telefónica Tech Cybersecurity Weekly Briefing, July 3, 2026
Qilin Ransomware Leads Q1 2026 OT Threat Landscape with 1,500+ Claimed Incidents
TXOne Networks’ Q1 2026 analysis identifies Qilin ransomware as the predominant threat to OT-reliant sectors, with more than 1,500 incidents claimed globally across 2025–Q1 2026. Qilin campaigns commonly exploit edge and network device vulnerabilities — including Fortinet flaws (CVE-2024-21762 and CVE-2024-55591) — to establish initial footholds, then employ Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint detection and response before deploying AES-256 encrypted payloads. The group has repeatedly targeted manufacturing, automotive, energy, and healthcare environments, where ransomware in IT segments can rapidly propagate into operational systems and disrupt processes; notable victims include IntraCare, Hazeldenes, and the Los Angeles Metro. Defenders should prioritize OT-specific endpoint protections, strict network segmentation between IT and OT, and behavioral anomaly detection that can identify lateral movement and tampering with EDR controls.
Source: TXOne Networks – Inside Q1 2026 Ransomware: What OT Environments Must Do Now
OMB M-26-14 and CISA BOD 26-04 Mandate OT/IoT Asset Visibility for Federal Agencies
Two federal directives — OMB M-26-14 and CISA Binding Operational Directive 26-04 — have codified OT and IoT assets into baseline cybersecurity requirements for civilian agencies, raising the operational bar for telemetry, inventory, and remediation. M-26-14 replaces the earlier M-21-31 logging mandate and requires continuous event monitoring and active threat-hunting capabilities that explicitly include devices which lack native logging functions, while BOD 26-04 supersedes KEV-based BOD 22-01 by introducing a four-variable risk-scoring model (asset exposure, KEV status, exploit automation, and technical impact) to prioritize fixes instead of fixed CVSS deadlines. Agencies and vendors must achieve full compliance by December 2026, driven in part by AI-accelerated attack timelines that shrink the window between disclosure and exploitation to hours. The practical implications require complete asset inventories, generation of security telemetry for OT/IoT, and adoption of risk-based, timely remediation workflows across IT/OT environments.
Source: Nozomi Networks – How to Meet OMB M-26-14 and CISA BOD 26-04 Requirements
Action required: security teams should immediately validate asset inventories, apply vendor patches, audit for unauthorized accounts and anomalous sessions, and ensure OT/IoT telemetry is forwarded to centralized monitoring for threat hunting. Coordinate with vendors and incident response partners to test segmentation and recovery plans, and prioritize controls that reduce identity and network-based attack surfaces across converged IT/OT environments.