Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling unauthenticated remote compromise. Johnson Controls disclosed CVE-2025-26385 (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including ADS/ADX, LCS8500, NAE8500, SCT, CCT) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include CVE-2026-25069 in SunFounder Pironman Dashboard (path traversal in log API endpoints enabling arbitrary file read/deletion) and CVE-2025-51958 in the DokuWiki runcommand plugin (unauthenticated command execution via lib/plugins/runcommand/postaction.php).
Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. Orval fixed CVE-2026-25141, a code-injection issue where incomplete escaping can be bypassed using JSFuck-style payloads, and Cybersecurity AI (CAI) addressed CVE-2026-25130, where subprocess.Popen(..., shell=True) enables argument/command injection leading to RCE (notably via the find_file() tool). Data-layer issues include CVE-2025-69662 in geopandas (to_postgis() SQL injection) and CVE-2026-24854 in ChurchCRM (authenticated SQL injection via PerID in /PaddleNumEditor.php, patched in 6.7.2), while CVE-2025-36384 affects IBM Db2 for Windows (local privilege escalation via unquoted search path). SOHO router flaws CVE-2026-1686 (Totolink A3600R) and CVE-2026-1637 (Tenda AC21) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Timeline
Feb 1, 2026
CISA issues advisory for critical Johnson Controls ICS SQL injection flaw
On 2026-02-01, reporting said CISA had issued a critical advisory for CVE-2025-26385, a CVSS 10.0 SQL injection vulnerability affecting multiple Johnson Controls industrial control system products. CISA recommended network isolation, firewalling, and use of patched VPNs for any remote access.
Feb 1, 2026
SunFounder Pironman Dashboard path traversal CVE received
On 2026-02-01, disclosure@vulncheck.com received CVE-2026-25069 for a path traversal flaw in SunFounder Pironman Dashboard 1.3.13 and earlier. The issue allows unauthenticated remote attackers to read or delete arbitrary files through log file API endpoints.
Jan 30, 2026
Totolink A3600R buffer overflow disclosed with public proof of concept
By 2026-01-30, CVE-2026-1686 documented a remotely exploitable buffer overflow in the Totolink A3600R router's setAppEasyWizardConfig function in app.so. The disclosure referenced a public exploit and proof of concept, increasing the likelihood of real-world abuse.
Jan 30, 2026
Cybersecurity AI fixes argument injection leading to host command execution
A fix for CVE-2026-25130 was identified in commit e22a1220f764e2d7cf9da6d6144926f53ca01cde, addressing argument-injection flaws in Cybersecurity AI up to version 0.5.10. The vulnerabilities allowed arbitrary command execution, including through the pre-approved find_file() agent tool.
Jan 30, 2026
Orval releases fixes for code injection bypass in 7.21.0 and 8.2.0
Orval addressed CVE-2026-25141, a code injection vulnerability caused by incomplete prior escaping logic, in versions 7.21.0 and 8.2.0. The issue allowed arbitrary JavaScript execution via crafted x-enum-descriptions using a JSFuck-style technique.
Jan 30, 2026
IBM Db2 Windows privilege escalation CVE updated by IBM PSIRT
On 2026-01-30, CVE-2025-36384 was updated with CVSS v3.1 scoring, CWE-428 mapping, and an IBM PSIRT reference for a local privilege escalation issue in IBM Db2 for Windows 12.1.0 through 12.1.3. The flaw stems from an unquoted search path element and requires filesystem access.
Jan 30, 2026
DokuWiki runcommand plugin RCE CVE published with references and scoring
On 2026-01-30, CVE-2025-51958 was documented and updated for an unauthenticated remote command execution flaw in the aelsantex runcommand plugin for DokuWiki. The update added references, a CVSS v3.1 vector, and CWE-78 classification.
Jan 30, 2026
MediaWiki DiscussionTools EL injection/ReDoS issue documented
On 2026-01-30, the CVE-2025-11175 entry was updated with a description, CVSS v4.0 vector, CWE-917 classification, and references for an expression language injection issue in MediaWiki DiscussionTools. The flaw can lead to Regular Expression Exponential Blowup in affected 1.43 and 1.44 versions.
Jan 30, 2026
CVE record for Geopandas SQL injection updated with technical details
On 2026-01-30, the CVE-2025-69662 record was updated to add a description, CVSS v3.1 vector, CWE classification, and references for an SQL injection issue in geopandas versions prior to 1.1.2. The flaw affects the to_postgis() function when writing GeoDataFrames to PostgreSQL.
Jan 30, 2026
ChurchCRM 6.7.2 fixes SQL injection in PaddleNumEditor.php
ChurchCRM released version 6.7.2 to address CVE-2026-24854, a SQL injection flaw in /PaddleNumEditor.php that could be exploited by any authenticated user, even with no assigned permissions. The advisory references the fixing commit and GitHub Security Advisory.
Jan 29, 2026
CVE-2026-1637 assigned for Tenda AC21 stack overflow with public exploit
On 2026-01-29, the CVE record for CVE-2026-1637 was received, documenting a remotely exploitable stack-based buffer overflow in the Tenda AC21 router's fromAdvSetMacMtuWan function. The record noted that a public exploit was available.
Jan 27, 2026
CISA reports no known exploitation of Johnson Controls SQL injection flaw
As of 2026-01-27, CISA said it was not aware of public exploitation of CVE-2025-26385, a critical SQL injection vulnerability affecting multiple Johnson Controls ICS products. The agency nevertheless highlighted the risk because the products are widely used in critical infrastructure environments.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like cvefeed high severity
Related Stories
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
1 months ago
ICS/OT Vulnerability Disclosures for Airleader Master, Hitachi Energy SuprOS, and WAGO Industrial Switches
CISA published an ICS advisory for **Airleader GmbH Airleader Master** identifying **CVE-2026-1358**, a **critical (CVSS 9.8)** *unrestricted file upload* issue (`CWE-434`) affecting versions **6.381 and earlier**. The advisory states that multiple web pages running with maximum privileges allow **unauthenticated** file uploads without restriction, which could enable **remote code execution** on the server; the issue was reported by **SySS GmbH**. CISA also issued an ICS advisory for **Hitachi Energy SuprOS** describing a **default credentials** weakness (`CWE-1392`) affecting **SuprOS 9.2.1 and below and 9.2.2.0** (listed as **CVE-2025-7740**, **CVSS 8.8**), where an admin account created during deployment could be abused by an attacker with local authenticated access, impacting confidentiality, integrity, and availability. Separately, CERT@VDE warned of multiple critical vulnerabilities in **WAGO 852 series Industrial Managed Switches** (models **8052-1322** and **0852-1328**, firmware **2.64 and prior**), including **CVE-2026-22906** (hardcoded key enabling decryption of AES-ECB–protected stored credentials if a configuration file is obtained) and cookie-parsing flaws such as **CVE-2026-22904** that can be triggered remotely via oversized cookie values, enabling denial of service and potentially code execution through the web management interface (modified *lighttpd* and custom CGI binaries).
1 months ago
CISA ICS advisories disclose multiple critical-manufacturing vulnerabilities in Hitachi Energy, Ilevia, and Open62541
CISA published multiple ICS advisories affecting **critical manufacturing** environments, including a **critical RADIUS forgery weakness** impacting **Hitachi Energy XMC20** and **FOX61x** when configured for **remote RADIUS authentication**. The issue (tracked as **CVE-2024-3596**, CVSS v3.1 **9.0**) stems from the RADIUS protocol’s use of an **MD5 Response Authenticator**, enabling a local attacker to perform a **chosen-prefix collision** and alter server responses (e.g., `Access-Accept`, `Access-Reject`, `Access-Challenge`), with potential confidentiality, integrity, and availability impact. Separately, CISA warned that **Ilevia EVE X1 Server** (<= **4.7.18.0**) contains multiple vulnerabilities (including **CVE-2025-34183/34184/34185/34186/34187** and **CVE-2025-34512/34513/34517/34518**) that can enable **pre-auth file disclosure** (via the `db_log` POST parameter) and **unauthenticated OS command injection** (in `/ajax/php/login.php`), potentially leading to arbitrary command execution and sensitive information exposure; at least one issue is scored **CVSS 9.8**. CISA also disclosed an **out-of-bounds write** in **o6 Automation GmbH Open62541** (**CVE-2026-1301**, CVSS **5.7**) where, with PubSub and JSON enabled, a crafted JSON message can trigger **pre-auth memory corruption** and a reliable **denial of service**.
1 months ago