Here are five IoT, OT, ICS, and CPS security updates for June 24, 2026.
CISA adds critical UniFi OS and Lantronix flaws to KEV; agencies face June 26 deadline
CISA added four critical vulnerabilities impacting Ubiquiti UniFi OS and Lantronix EDS5000 to its Known Exploited Vulnerabilities catalog, including CVE-2026-34908 and CVE-2026-34910 (both CVSS 10.0), a path traversal issue, and a code injection flaw (CVE-2025-67038). The weaknesses could enable unauthorized changes and root-level command execution, and federal agencies must remediate by June 26, 2026 under BOD 22-01.
Source: SecurityAffairs
Dragos unveils EmberAI, an OT-native AI for industrial SOCs
Dragos launched EmberAI, an OT-native AI built on the Dragos Intelligence Fabric, a large OT cybersecurity dataset. The platform is designed to bring AI-driven threat detection and response to operational technology environments, reflecting recognition that IT-focused AI tools are insufficient for OT threat landscapes.
Source: Industrial Cyber
Frontier AI compresses OT exploit timelines; Palo Alto Networks urges virtual patching
Palo Alto Networks reports that frontier AI is shrinking the interval from vulnerability disclosure to exploitation from weeks to minutes, while OT systems often cannot patch rapidly due to safety and legacy constraints. The company advocates operational risk prioritization and AI-powered virtual patching at the network layer, citing independent tests showing its Advanced Threat Prevention blocked 69% more evasive C2 traffic than competing IPS solutions.
Source: Palo Alto Networks Blog
CISA's CI Fortify reframes critical infrastructure security around resilience
CISA's CI Fortify initiative urges state and local governments to view critical infrastructure cybersecurity as an operational resilience challenge amid increasingly connected OT, where air-gapping has largely failed. It emphasizes network segmentation, manual fallback planning, and cross-functional exercises, warning that some attacks aim to render physical devices permanently unusable.
Source: StateTech Magazine
EU CRA and PLD tighten liability and security duties for IoT manufacturers
A converging EU framework affects IoT makers, with the Data Act and GPSR in force, the EU Product Liability Directive effective Dec. 9, 2026, and the Cyber Resilience Act starting vulnerability reporting Sept. 11, 2026 with full compliance by Dec. 11, 2027. CRA non-compliance can establish product defectiveness under the PLD, and manufacturers with OTA updates cannot disclaim post-sale liability for unpatched vulnerabilities. Data corruption from cyberattacks is compensable, and integrating open-source software into commercial IoT products creates strict liability for the manufacturer.
Source: Reed Smith LLP
