Here are the top IoT/OT/CPS/ICS cybersecurity developments from the past 24 hours, curated for security leaders focused on protecting connected devices and critical infrastructure. Highlights include bootloader vulnerabilities impacting millions of embedded systems, fresh CISA ICS advisories, OT remote access risks tied to ransomware, major OT security investments, and a large-scale healthcare data breach.
Critical U‑Boot Vulnerabilities Undermine Secure Boot Across Millions of Embedded and Industrial Devices (CVE-2026-46728)
Binarly researchers disclosed six critical flaws in U‑Boot, the widely used open-source bootloader for routers, cameras, BMCs, industrial gear, and other embedded IoT devices. The most severe, CVE-2026-46728 (CVSS 8.2), enables bypass of FIT signature verification, breaking secure boot; two bugs allow arbitrary code execution and four can cause denial of service, with affected code dating back to v2013.07 and impacting 50+ stable releases. Because exploitation occurs before the OS loads, persistent malware can evade detection and removal without physically reflashing storage. Operators should upgrade to U‑Boot 2026.04 or later and validate the boot chain-of-trust across device fleets.
CISA Issues New ICS Advisories Covering Schneider, Siemens, Hitachi Energy, and More
CISA’s July 9 ICS advisory round spans products from Schneider Electric, OpenPLC, Labcenter, Siemens, Hitachi Energy, and Digi International, alongside new additions to the Known Exploited Vulnerabilities catalog. The alerts affect multiple critical infrastructure sectors, including water and wastewater. Asset owners should review impacted versions, prioritize remediation, and apply compensating controls where immediate patching is not feasible.
Ransomware Actors Exploit Factory VPNs; Secomea Calls for Stronger OT Remote Access Governance
Amid a rise in publicly reported ransomware and extortion cases hitting manufacturers and industrial suppliers, Secomea warns that always‑on VPNs, shared credentials, and weak oversight are enabling lateral movement in OT environments. The company recommends just‑in‑time vendor access, approval-based workflows, least‑privilege permissions, comprehensive audit trails, and rapid isolation of affected assets. Secomea was named a Representative Vendor for CPS Secure Remote Access in the Gartner Hype Cycle for CPS Security, 2026.
Accenture Commits $4.18B to OT Security Acquisitions, Targeting Critical Infrastructure
Accenture announced $4.18 billion in investments to acquire full or partial control of three OT security specialists, marking a major bet on protecting power grids, pipelines, manufacturing facilities, and AI-centric data centers. CEO Julie Sweet stated, “We cannot have an AI revolution without critical infrastructure, and you cannot have those without OT security, which is where the world today is most vulnerable.” The move is among the largest single‑quarter OT cybersecurity investments by a major consultancy and signals accelerating market consolidation and demand.
Medtronic Notifies 3.8 Million Patients After ShinyHunters Breach of Corporate IT Systems
Medtronic disclosed that approximately 3.8 million individuals were affected after the ShinyHunters group accessed corporate IT systems and obtained personal and medical information, including Social Security numbers and health data. The incident underscores escalating risks across connected medical device ecosystems and the broader healthcare IoT supply chain. Many patients reportedly learned of the breach via media reports before receiving official notification.