Daily OT Security News: June 28, 2026

Today’s OT and CPS threat landscape highlights systemic exposure across building management systems, widespread compromise of perimeter security appliances, newly added KEVs targeting OT-adjacent platforms, looming EU reporting mandates, and the return of a powerful AI security model under strict controls. The common threads: internet-exposed systems, legacy components, and accelerating attacker tradecraft that now leverages both GPU-scale cracking and supply-chain reach. Security teams should prioritize rapid exposure reduction, validated patching, and governance for advanced tools.

Claroty Report: 75% of CPS Organizations Have Building Management Systems Exposed to Known Exploited Vulnerabilities

Claroty Team82’s analysis of nearly 500,000 BMS devices across more than 500 CPS organizations found that 75% are affected by CISA Known Exploited Vulnerabilities, with 69% tied to KEVs previously used in ransomware campaigns. Over half (51%) of BMS are insecurely internet-connected, while legacy OT issues persist, including unsupported Windows (XP, 7, Server 2003), weak authentication, and heavy reliance on remote access tools (55% use four or more). The report urges moving from CVSS-only programs to a Continuous Threat Exposure Management approach focused on exploitability and business risk.

Source: National Cybersecurity News / Claroty Team82

FortiBleed: 75,000 FortiGate Firewalls Systematically Compromised — Credentials Now for Sale

Researcher Kevin Beaumont reports that threat actors compromised roughly 75,000 FortiGate devices by exploiting unpatched flaws or dormant backdoor admin accounts, then exporting full configurations and cracking password hashes offline using 36 enterprise-class GPUs rented from a GenAI provider. Stolen credentials, including VPN accounts, are being sold on criminal markets; evidence indicates lateral movement into Active Directory, with telcos and MSPs targeted for cascading access to customer networks. CISA is urging immediate hardening of internet-facing FortiGate appliances.

Source: DoublePulsar / Kevin Beaumont

CISA Adds Cisco Unified Communications and PTC Windchill Flaws to KEV Catalog with June 28 Deadline

CISA added two critical bugs to the KEV catalog with an urgent June 28, 2026 remediation deadline: CVE-2026-20230, an unauthenticated SSRF in Cisco Unified Communications Manager exposed via crafted HTTP, and CVE-2026-12569, a deserialization-driven RCE affecting PTC Windchill and FlexPLM (versions up to 11.0 and multiple 11.1–13.0 branches). These vulnerabilities sit adjacent to OT environments and core supply-chain systems, presenting high-value pivot points if left unpatched. Organizations should prioritize isolation, patching, and compensating controls where immediate remediation is not feasible.

Source: Security Boulevard / CISO Whisperer

EU Cyber Resilience Act Mandatory IoT/OT Reporting Deadline Less Than 100 Days Away

The CRA’s Article 14 incident and vulnerability reporting obligations take effect on September 11, 2026, requiring manufacturers of connected products sold in the EU to notify ENISA and national CSIRTs within 24 hours of discovering active exploitation, with follow-up reports due at 72 hours and 14 days. The scope spans consumer IoT, ICS/OT equipment, routers, firewalls, and supply chain platforms, with penalties up to €15 million or 2.5% of global turnover for non-compliance. Vendors and integrators should map product portfolios, define reporting playbooks, and align incident response and PSIRT workflows now.

Source: Crowell & Moring LLP

Anthropic’s Claude Mythos 5 AI Cybersecurity Model Cleared for Redeployment to U.S. Critical Infrastructure

Following a government-led review, Anthropic will redeploy Claude Mythos 5 to vetted defenders in sectors including energy, healthcare, finance, and telecom after a June 12 suspension over dual-use risks. The model reportedly achieved a 72% first-attempt exploit-generation success rate and surfaced thousands of high-severity flaws, prompting strict access gating and governance expectations. Security leaders should formalize policies for high-capability AI tools, ensure human-in-the-loop oversight, and plan for continuity in case of future access disruptions.

Source: Security Boulevard / CISO Whisperer

As attackers scale automation and target exposed OT-adjacent systems, reduce internet-facing risk, enforce strong authentication, and validate patching against KEVs. Maintain readiness for regulatory deadlines and build governance for advanced AI tooling to stay resilient against fast-evolving threats.

Share this