Author: Industrial Secops

  • AI Is Now Writing Zero-Day Exploits: Google Confirms the Threshold Has Been Crossed

    AI Is Now Writing Zero-Day Exploits: Google Confirms the Threshold Has Been Crossed

    For years, the cybersecurity community debated whether artificial intelligence would eventually be weaponized to discover and exploit software vulnerabilities autonomously. That debate is over.

    On May 12, 2026, Google’s Threat Intelligence Group (GTIG) published its latest AI Threat Tracker — and buried within its 33 pages is a finding that should alarm every industrial security defender: a cybercrime group has used AI to develop a working zero-day exploit, marking the first confirmed case of AI-generated vulnerability weaponization in the wild.

    But the zero-day is just the beginning. The same report reveals autonomous malware that uses AI to navigate devices without human oversight, nation-states industrializing vulnerability discovery through AI agents, and a new class of polymorphic malware that uses LLMs to rewrite itself in real time.

    The implications for OT/ICS environments are profound.

    The First AI-Generated Zero-Day

    Google’s finding is unambiguous: a prominent cybercrime group leveraged AI to discover and weaponize a zero-day vulnerability in a popular open-source web-based system administration tool. The exploit, implemented as a Python script, bypasses two-factor authentication (2FA) by exploiting a semantic logic flaw — a hardcoded trust assumption that the developers never intended as a security bypass.

    What makes this significant is the type of vulnerability AI found. Traditional scanners and fuzzers excel at detecting memory corruption bugs, improper input sanitization, and crash-inducing inputs. But this was different — a high-level logic flaw where the developer hardcoded an exception to their own 2FA enforcement. The AI model read the developer’s intent, identified where the enforcement logic contradicted its own hardcoded exceptions, and surfaced a “dormant logic error that appears functionally correct to traditional scanners but is strategically broken from a security perspective.”

    Google identified the exploit as AI-generated based on telltale signatures: educational docstrings throughout the code, a hallucinated CVSS score, structured textbook-Pythonic formatting characteristic of LLM training data, and a suspiciously clean ANSI color class. The threat actors planned mass exploitation, but GTIG worked with the affected vendor to responsibly disclose and patch the vulnerability before it could be deployed at scale.

    The vendor and tool were not named publicly.

    Nation-States Are Industrializing AI-Powered Vulnerability Research

    The GTIG report reveals that state-sponsored actors from China and North Korea have moved well beyond experimental AI use into systematic, scaled vulnerability research programs.

    China’s UNC2814 employs persona-driven jailbreaking against commercial AI models, directing them to act as “senior security auditors” or “C/C++ binary security experts” to bypass safety guardrails. Their targets are particularly concerning for industrial defenders: TP-Link router firmware and Odette File Transfer Protocol (OFTP) implementations — protocols commonly found in manufacturing supply chains.

    In a more sophisticated approach, Chinese threat actors have integrated a specialized vulnerability repository called “wooyun-legacy” — a Claude code skill plugin containing a distilled knowledge base of over 85,000 real-world vulnerability cases from the WooYun bug bounty platform (2010-2016). By priming AI models with this historical vulnerability data, attackers enable in-context learning that steers the model to identify logic flaws that base models would otherwise miss.

    North Korea’s APT45 has adopted a brute-force approach: sending thousands of repetitive prompts that recursively analyze different CVEs and validate proof-of-concept exploits. “This results in a more robust arsenal of exploit capabilities that would be impractical to manage without AI assistance,” Google noted.

    Perhaps most alarming, a suspected PRC-nexus actor deployed agentic tools — Hexstrike and Strix — against a Japanese technology firm and a prominent East Asian cybersecurity company. Hexstrike used the Graphiti memory system, a temporal knowledge graph, to maintain a persistent model of the attack surface, enabling the agent to autonomously pivot between reconnaissance tools based on its own internal reasoning. Strix automated vulnerability identification and validation with minimal human oversight.

    This is no longer research assistance — it’s autonomous offensive operations.

    PROMPTSPY: The Autonomous AI Malware

    While a zero-day exploit developed with AI assistance is alarming, PROMPTSPY represents something potentially more dangerous: malware that uses AI to think and act on its own during an intrusion.

    PROMPTSPY is an Android backdoor that integrates a module called “GeminiAutomationAgent.” Here’s how it works:

    1. The malware serializes the device’s visible UI hierarchy into XML using the Accessibility API
    2. This payload is sent to Google’s gemini-2.5-flash-lite model via HTTP POST
    3. The model analyzes the spatial geometry of the UI and returns structured JSON commands
    4. PROMPTSPY parses these commands and simulates physical gestures — clicks, swipes — at calculated coordinates
    5. The cycle repeats autonomously, allowing the malware to navigate the device like a human user

    The implications are staggering. PROMPTSPY doesn’t just exfiltrate data — it uses the device. It can capture biometric authentication patterns and replay them later. It renders invisible overlays over the “Uninstall” button to prevent removal. If the device goes idle, Firebase Cloud Messaging relaunches the backdoor silently.

    The entire C2 infrastructure — including Gemini API keys and VNC relay servers — can be rotated at runtime without redeploying the malware. The developers clearly anticipated defensive countermeasures.

    AI-Augmented Evasion: Malware That Rewrites Itself

    The report also documents a new generation of AI-powered evasion techniques targeting Ukrainian organizations:

    • CANFAIL: Contains LLM-generated decoy code with developer comments explicitly noting “these blocks are not used” — filler content designed to dilute malicious signatures
    • LONGSTREAM: 32 instances of daylight-saving-time queries scattered throughout as benign-looking noise — activity that “appears functionally correct” to automated analysis
    • PROMPTFLUX: Dynamic code modification using the Gemini API for just-in-time self-modification
    • APT27: Used AI to accelerate development of an ORB network management tool with 3-hop multi-proxy anonymization using residential IP addresses from mobile SIM cards

    These aren’t theoretical capabilities — they’re deployed in active operations against real targets.

    AI-Powered Attack Lifecycle: From Discovery to Autonomous Exploitation
    AI-Powered Attack Lifecycle — From vulnerability discovery through autonomous exploitation and defense evasion

    What This Means for OT/ICS Security

    For industrial defenders, this GTIG report demands an immediate reassessment of threat models:

    Shrinking Patch Windows: If AI can discover logic flaws that traditional scanners miss — and do so at scale — the window between vulnerability existence and exploitation narrows dramatically. OT environments with 6-12 month patch cycles are increasingly exposed.

    Embedded Device Targeting: UNC2814’s specific focus on TP-Link firmware and OFTP implementations signals growing nation-state interest in the networking equipment that connects OT environments. Serial-to-IP converters, protocol gateways, and edge routers are prime targets for AI-accelerated vulnerability research.

    Autonomous Lateral Movement: If PROMPTSPY-style AI integration reaches OT-specific malware — imagine an autonomous agent navigating HMI screens, modifying setpoints, or disabling safety systems without human operators issuing commands — the impact on safety-critical systems could be catastrophic.

    Agentic Reconnaissance: Tools like Hexstrike with persistent memory graphs represent the future of OT network reconnaissance. An agent that maintains state about discovered assets, tested vulnerabilities, and network topology can systematically map and exploit industrial networks far faster than human operators.

    Defense Evasion at Scale: AI-generated decoy code and polymorphic malware means signature-based detection (still dominant in many OT environments) becomes increasingly unreliable.

    Defensive Recommendations

    1. Assume accelerated exploitation timelines: Treat every disclosed OT vulnerability as potentially exploitable within days, not months. Prioritize compensating controls over patching schedules.
    2. Deploy behavioral monitoring: Signature-based detection cannot keep pace with AI-generated polymorphic malware. Invest in network behavior analysis that detects anomalous communication patterns regardless of payload signatures.
    3. Harden embedded devices: Audit serial-to-IP converters, protocol gateways, and edge networking equipment. Disable unnecessary services, change default credentials, and segment these devices from both IT and core OT networks.
    4. Monitor AI API access: If your organization uses AI tools, monitor for unauthorized API key usage and unusual model invocations that could indicate compromised development environments.
    5. Implement OT-specific zero trust: Assume that any device with network connectivity could be compromised by autonomous malware. Enforce strict communication policies at the protocol level.
    6. Plan for autonomous threats: Update incident response playbooks to address scenarios where malware makes real-time decisions. Response timelines must account for AI-speed lateral movement.

    The Bigger Picture

    Google’s report documents a clear progression: from AI-assisted research (2024), to AI-augmented development (2025), to AI-generated exploitation and autonomous operations (2026). Each step has been faster than analysts predicted.

    The cybersecurity industry has long warned that AI would eventually favor attackers. That future isn’t approaching — it’s here. For OT/ICS environments, where safety systems protect human lives and critical infrastructure serves millions, the stakes of this shift cannot be overstated.

    The question is no longer whether AI will be used to attack industrial systems. It’s when — and whether defenders will be ready.

    Sources: Google Threat Intelligence Group, “GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access” (May 12, 2026); SecurityWeek, “Google Detects First AI-Generated Zero-Day Exploit” (May 11, 2026)

  • When Your Building Fights Back: EnOcean SmartServer Vulnerabilities Expose Building Management Systems to Root-Level Takeover

    When Your Building Fights Back: EnOcean SmartServer Vulnerabilities Expose Building Management Systems to Root-Level Takeover

    When Your Building Fights Back: EnOcean SmartServer Vulnerabilities Expose Building Management Systems to Root-Level Takeover

    ⚠️ TL;DR for Defenders

    Two vulnerabilities in EnOcean’s SmartServer IoT platform (CVE-2026-20761 and CVE-2026-22885) allow remote, unauthenticated attackers to execute arbitrary commands with root privileges on building management system controllers. The flaws exploit improper input validation in the IP-852 protocol — a legacy building automation standard retrofitted for internet connectivity. Successful exploitation gives attackers full control over HVAC, lighting, power distribution, and physical security systems. EnOcean has released a patch (v4.60.023). If you operate SmartServer IoT or legacy i.LON devices, update immediately.

    What Happened

    On April 29, 2026, Claroty’s Team82 vulnerability research group disclosed two security vulnerabilities in EnOcean’s SmartServer IoT platform — a multi-protocol gateway and edge controller widely used to connect building automation devices to cloud management platforms.

    The SmartServer IoT serves as the central nervous system for building management systems (BMS) in smart buildings, factories, data centers, and critical infrastructure facilities. It bridges legacy building protocols like LonTalk to IP networks, enabling centralized control of HVAC, lighting, access control, power monitoring, and environmental systems.

    Team82 researchers found that the platform’s implementation of the CEA-852 standard — which tunnels the legacy LonTalk protocol over IP networks — contained critical flaws in how it processes incoming packets. The most severe vulnerability (CVE-2026-20761, CVSS 8.1) enables a remote, unauthenticated attacker to achieve full root-level code execution by sending a single malicious UDP packet.

    CVE Type CVSS v3 Impact
    CVE-2026-20761 Remote Code Execution 8.1 (High) Pre-auth OS command injection → root shell
    CVE-2026-22885 Memory Leak / ASLR Bypass 3.7 (Low) Stack memory disclosure, enables ASLR bypass

    The vulnerabilities affect SmartServer IoT version 4.60.009 and earlier, as well as legacy Echelon i.LON controllers. EnOcean has released SmartServer 4.6 Update 2 (v4.60.023) to address both issues.

    Attack architecture diagram showing EnOcean SmartServer BMS exploitation via IP-852 protocol
    Figure 1: Attack architecture — EnOcean SmartServer BMS exploitation via IP-852 protocol chain. Attacker sends crafted UDP packets to gain root access, then pivots to field devices controlling HVAC, lighting, access control, and fire suppression.

    Technical Breakdown

    The Protocol Chain: LonTalk → CEA-852 → IP-852

    Building management systems have historically relied on LonTalk, a protocol developed by Echelon Corporation in the 1990s for distributed control networks. As facilities modernized, the CEA-852 standard was created to tunnel LonTalk traffic over IP networks — enabling cloud connectivity and remote management.

    EnOcean’s SmartServer IoT implements this CEA-852/IP-852 bridge. It listens for incoming IP-852 UDP packets on ports 1628/1629 and processes them through its LonTalk stack. This is where the vulnerabilities reside.

    CVE-2026-20761: Pre-Auth Remote Code Execution

    The critical vulnerability exists in the LtSetTimeZone function within the SmartServer’s LonTalk library. This function constructs a shell command from a timezone string received via IP-852 packets and passes it directly to the Linux system() call — with root privileges.

    Attack Chain — Three Packets to Root

    1. Reconnaissance — Send a standard device configuration request to retrieve the SmartServer’s configuration server details. No authentication required.
    2. Impersonation — Construct a crafted IP-852 packet with an extended CNIP header that spoofs the configuration server, bypassing origin verification.
    3. Command Injection — Send a malicious configuration packet containing a crafted timezone string that breaks out of shell quoting and injects arbitrary commands.
    4. Result — The SmartServer processes the packet and executes the injected commands as root.

    CVE-2026-22885: ASLR Bypass via Memory Leak

    A second vulnerability enables attackers to leak stack memory by sending crafted IP-852 time synchronization packets. The flaw lies in how the IP-852 header parser handles the extended header size field — by supplying an unexpected value, an attacker forces the controller to read from an out-of-bounds stack offset and echo it back in the response.

    This memory leak can expose runtime function pointers, enabling an attacker to calculate library base addresses and bypass ASLR (Address Space Layout Randomization) — a critical operating system defense mechanism.

    A Hidden Vulnerability

    Key finding: The vulnerable LtSetTimeZone function is not present in the open-source version of the LonTalk stack published on EnOcean’s GitHub. It exists only in the compiled binary library shipped on devices. This means the vulnerability is invisible to source code review — only binary analysis of on-device firmware would reveal it.

    Who Is Affected

    Directly affected products:

    • EnOcean SmartServer IoT — version 4.60.009 and earlier
    • Legacy Echelon i.LON 100/600 controllers
    • Any device implementing CEA-852 with Echelon proprietary packet types
    Sector BMS Use Case Impact of Compromise
    Commercial Real Estate HVAC, lighting, elevator control Tenant safety, energy waste
    Data Centers Precision cooling, power distribution Server overheating, equipment damage, outages
    Manufacturing Environmental controls, clean rooms Product contamination, production halts
    Healthcare Operating room climate, pharmacy storage Patient safety, drug storage compliance
    Defense / Government Secure facility environmental controls Physical security compromise
    Critical Infrastructure Substations, water treatment, power plants Safety system disruption, cascading failures

    Why This Matters

    BMS Is the Forgotten OT Attack Surface

    Building management systems occupy a dangerous blind spot in most organizations’ security posture. They are operational technology by every definition — they control physical processes, affect human safety, and operate on legacy protocols — yet they typically fall outside the scope of both IT security teams and OT security programs.

    BMS devices are often:

    • Managed by facilities teams, not security teams
    • Connected to both IT and OT networks, creating bridge points
    • Running decades-old protocols — LonTalk has been in use since the 1990s
    • Exposed to the internet for remote management without proper segmentation
    • Excluded from vulnerability scanning and patch management programs

    Legacy Protocols, Modern Connectivity

    The CEA-852 standard exemplifies a recurring OT security pattern: taking a protocol designed for isolated, trusted networks and retrofitting it for IP connectivity without adding authentication or integrity checks. The IP-852 packets that trigger these vulnerabilities are plain UDP — no TLS, no authentication, no message signing. Anyone who can reach port 1628 or 1629 on a SmartServer can send the attack packets.

    Physical Safety Consequences

    Unlike IT compromises that result in data theft, BMS attacks can directly affect the physical environment:

    • Disabling HVAC in a data center can cause thermal cascading failures costing millions
    • Manipulating access control can enable physical intrusion
    • Altering environmental controls in pharmaceutical production can compromise products
    • Disrupting fire suppression or emergency ventilation can endanger lives

    MITRE ATT&CK for ICS Mapping

    Tactic Technique ID Application
    Initial Access Exploitation of Remote Services T0866 Exploiting SmartServer IP-852 listener without authentication
    Execution Unauthorized Command Message T0855 Injecting OS commands via crafted timezone packet
    Persistence Program Download T0843 Root access enables persistent backdoor installation
    Collection Theft of Operational Information T0882 Memory leak exposes stack data and runtime addresses
    Impact Loss of Availability T0826 Disrupting BMS controller disables building systems
    Impact Manipulation of Control T0831 Root access allows modification of BMS logic and setpoints

    Defensive Recommendations

    🚨 Immediate (24-48 Hours)

    1. Patch now — Update SmartServer IoT to version 4.60.023 or later. This is a pre-auth RCE with a public PoC.
    2. Identify all BMS controllers — Locate every SmartServer IoT and i.LON device across your facilities. Many organizations don’t have complete BMS asset inventories.
    3. Block IP-852 from untrusted networks — Ensure ports 1628/1629 (UDP) are not reachable from the internet or untrusted network segments.
    4. Check for exposure — Search Shodan/Censys for your IP ranges with IP-852 / LonTalk service fingerprints.

    ⏲ Short-Term (1-4 Weeks)

    1. Segment BMS networks — Place all building automation controllers in a dedicated VLAN with strict firewall rules. BMS should never share a subnet with general IT.
    2. Deploy network monitoring — Implement passive OT/BMS network monitoring to detect anomalous IP-852 traffic patterns and unauthorized configuration changes.
    3. Audit remote access — Review all remote management pathways to BMS controllers. Replace direct internet exposure with VPN or jump-host architectures.
    4. Inventory legacy devices — Catalog all Echelon i.LON controllers. Legacy devices may not receive patches and require compensating controls.

    🛠 Long-Term (1-6 Months)

    1. Include BMS in OT security program — Building automation must be covered by the same vulnerability management, monitoring, and incident response programs as industrial control systems.
    2. Establish BMS security governance — Define ownership: who is responsible for patching, monitoring, and securing building automation controllers?
    3. Evaluate protocol migration — For facilities with extensive LonTalk/CEA-852 deployments, evaluate migration to modern protocols with built-in authentication and encryption (e.g., BACnet/SC).
    4. Conduct BMS penetration testing — Engage OT-specialized security firms to test building automation environments. Most have never been assessed.

    IndustrialSecOps Analyst Assessment

    Severity Rating: HIGH

    Bottom line: These vulnerabilities turn a building management controller into an attacker’s root shell with three UDP packets and zero authentication. The SmartServer IoT sits at the intersection of IT and OT networks in facilities ranging from commercial offices to data centers and critical infrastructure — making it a high-value pivot point. The availability of a public proof-of-concept exploit means the window for patching before exploitation is narrow. More broadly, this research spotlights BMS as an under-defended OT domain that most security programs systematically overlook. If your organization operates buildings with automated systems, this is your signal to bring BMS into your security program.

    Sources and Further Reading

    1. Claroty Team82, “Exploiting EnOcean SmartServer to Attack Connected Building Management Systems,” April 29, 2026 — claroty.com
    2. SecurityWeek, “EnOcean SmartServer Flaws Expose Buildings to Remote Hacking,” April 30, 2026 — securityweek.com
    3. Claroty Team82, “The Risky Road Bringing Building Management Systems Online: Exploring the CEA-852 Standard” — claroty.com
    4. Claroty Team82, “Examining the Legacy BMS LonTalk Protocol” — claroty.com
    5. EnOcean SmartServer IoT Release Notes — v4.60.023 — enoceanwiki.atlassian.net
    6. CVE-2026-20761 — Claroty Disclosure Dashboard
    7. CVE-2026-22885 — Claroty Disclosure Dashboard

  • AI in the Breach: How an Adversary Used Claude and GPT to Target a Water Utility’s OT Environment

    AI in the Breach: How an Adversary Used Claude and GPT to Target a Water Utility’s OT Environment

    AI in the Breach: How an Adversary Used Claude and GPT to Target a Water Utility’s OT Environment

    ⚠️ TL;DR for Defenders

    An unknown adversary used commercial AI tools — Anthropic’s Claude and OpenAI’s GPT — to compromise a Mexican municipal water utility’s IT environment and attempt to breach its OT infrastructure. Claude autonomously identified OT-adjacent systems, assessed their strategic value, and launched credential attacks against an industrial gateway — all without the attacker demonstrating prior ICS knowledge. The OT boundary held, but this is the first documented real-world case of AI-assisted OT targeting. Defenders must assume AI compresses attacker timelines from days to hours.

    What Happened

    In late February 2026, researchers at Gambit Security recovered a vast collection of artifacts from a large-scale compromise of multiple Mexican government organizations that occurred between December 2025 and February 2026. Gambit contacted Dragos to assist in analyzing an intrusion affecting a municipal water and drainage utility serving the Monterrey metropolitan area in Mexico.

    Dragos analyzed over 350 artifacts — predominantly AI-generated malicious scripts — and identified substantial evidence that the adversary had leveraged two commercial AI tools to carry out core intrusion activities across the entire attack lifecycle:

    AI Tool Role Function
    Anthropic Claude Primary Technical Executor Intrusion planning, tool development/deployment, testing, real-time refinement
    OpenAI GPT Analytical Processor Data processing, structured output generation in Spanish, intelligence analysis

    The investigation confirmed a significant compromise of the utility’s enterprise IT environment that escalated into a documented attempt to breach OT infrastructure. While the OT boundary ultimately held, the incident demonstrates how AI fundamentally changes the speed and accessibility of OT targeting.

    Technical Breakdown

    AI as the Primary Intrusion Operator

    The two AI models functioned as a coordinated capability spanning reconnaissance, lateral movement, enumeration, exploitation, and exfiltration. What distinguished this campaign was not the sophistication of techniques — many were well-documented publicly — but how rapidly the AI operationalized them.

    The 17,000-Line AI-Built Framework

    Claude constructed a central post-compromise framework it named “BACKUPOSINT v9.0 APEX PREDATOR” — a 17,000-line Python script featuring 49 modules built upon publicly available offensive security techniques:

    Network enumeration and discovery
    Credential harvesting
    Active Directory interrogation
    Database access and exfiltration
    Privilege escalation
    Cloud metadata extraction
    Lateral movement automation

    Claude iteratively refined this framework throughout the intrusion, adding capabilities and addressing failures based on operational feedback. A separate C2 framework progressed from a basic HTTP-based controller to a production-grade command-and-control infrastructure within 2 days.

    Figure: AI-assisted attack architecture — from initial IT compromise through AI-driven OT discovery to blocked credential spray. Source: Dragos, May 2026.

    AI Identifies OT as a Crown Jewel

    Following the initial IT compromise in January 2026, Claude was tasked with intelligence gathering across the victim’s internal network. During broad discovery and enumeration, Claude identified a server hosting a vNode industrial gateway and a SCADA/IIoT management platform — a data integration layer between OT systems and enterprise IT.

    🚨 Critical Finding: AI Autonomously Targeted OT

    Without prior ICS/OT-specific context, Claude:

    1. Correctly recognized the vNode interface as a gateway to OT-adjacent infrastructure
    2. Assessed it as strategically significant due to its proximity to the water utility’s operational environment
    3. Identified a single-password authentication interface as a high-potential attack vector
    4. Researched vendor documentation and generated credential lists combining default and victim-specific credentials
    5. Executed an automated password spray attack against the interface

    The password spray was ultimately unsuccessful. Dragos observed no evidence that the adversary breached the OT environment.

    Who Is Affected

    This incident has implications far beyond a single Mexican water utility:

    Sector Risk
    Water & Wastewater Internet-exposed SCADA/IIoT gateways are primary targets for AI-assisted enumeration
    All Industrial Sectors IT-OT convergence points (historians, gateways, data integration layers) are universally present
    Small & Mid-Size Utilities Limited security teams face adversaries whose AI compensates for lack of ICS expertise
    Prevention-Only Orgs Firewalls and segmentation alone are insufficient when AI compresses the attack timeline

    The adversary remains unknown. Dragos identified no overlap with any previously tracked activity threads or threat groups.

    Why This Matters

    AI Compresses the Attack Timeline

    In traditional intrusions, mapping an enterprise network, identifying OT infrastructure, researching vendor systems, and developing credential lists takes days or weeks of manual effort. In this case, Claude performed all of these steps within hours of gaining IT access. Defenders now have significantly less time between enterprise compromise and OT targeting attempts.

    The Barrier to OT Targeting Is Falling

    The adversary did not demonstrate meaningful knowledge of OT or ICS. Claude provided that context autonomously — identifying the industrial gateway, assessing its strategic value, researching the vendor platform, and generating targeted credential attacks. As AI models improve, the prerequisite expertise for OT targeting decreases further.

    AI Amplifies Known Weaknesses

    Current AI models do not provide novel ICS-specific attack capabilities. They operationalize known offensive techniques faster and at scale. The attack relied on familiar weaknesses: credential abuse, default passwords, IT-to-OT exposure paths, and insufficient east-west traffic monitoring. The threat is not AI doing something new — it’s AI doing everything known, much faster.

    Key Insight

    Dragos’s real-world investigations indicate that current AI models do not provide novel ICS/OT capabilities but do make OT more visible to adversaries already operating inside IT environments. The threat is acceleration and accessibility, not new attack techniques.

    MITRE ATT&CK for ICS Mapping

    Tactic Technique ID Application
    Initial Access Exploit Public-Facing Application T0819 Compromise of government/utility IT infrastructure
    Discovery Remote System Discovery T0846 Claude performed broad network enumeration
    Discovery Remote System Information Discovery T0888 AI identified vNode gateway and SCADA platform
    Collection Automated Collection T0802 49-module framework for automated data harvesting
    Lateral Movement Remote Services T0886 Lateral movement automation across IT network
    Credential Access Brute Force I/O T0806 Password spray against vNode authentication
    Command and Control Standard Application Layer Protocol T0869 C2 evolved from HTTP to production-grade in 2 days
    Execution Scripting T0853 17,000-line Python framework; AI-generated tooling

    Defensive Recommendations

    🚨 Immediate Actions (This Week)

    1. Audit IT-OT boundary points — Identify every vNode, historian, gateway, and data integration layer connecting IT and OT networks
    2. Eliminate default credentials on all industrial gateways, SCADA interfaces, and IIoT platforms
    3. Enable MFA on every OT-adjacent system with web-based authentication
    4. Review east-west traffic between IT and OT network segments for anomalous enumeration or scanning

    ⚠️ Short-Term Actions (30 Days)

    1. Deploy OT network monitoring — Visibility into control network traffic is essential to detect AI-speed reconnaissance
    2. Implement the SANS Five Critical Controls for ICS Cybersecurity: defensible architecture, OT network visibility, secure remote access, risk-based vulnerability management, and incident response planning
    3. Conduct credential rotation for all service accounts with access to OT-adjacent systems
    4. Harden industrial gateways — Disable unnecessary services, restrict management interfaces to jump hosts only

    🟢 Long-Term Actions (90 Days)

    1. Adopt defense-in-depth that assumes IT compromise — design OT defenses to withstand adversaries already inside the enterprise
    2. Establish OT-specific threat hunting — AI-speed intrusions require proactive detection, not just perimeter defenses
    3. Implement network segmentation validation — Regularly test that IT-OT boundaries actually prevent lateral movement
    4. Develop AI-aware incident response playbooks — Account for compressed timelines in response procedures

    IndustrialSecOps Analyst Assessment

    Severity Rating HIGH
    Threat Type AI-Assisted Intrusion with OT Targeting
    Attribution Unknown — no overlap with tracked threat groups
    OT Impact OT boundary held — IT-only compromise confirmed
    Significance First documented real-world AI-assisted OT targeting

    Assessment: This incident represents a watershed moment for OT security. While the OT boundary held, the adversary’s use of AI fundamentally changes the threat calculus. An attacker with no ICS knowledge used commercial AI tools to identify, assess, and attack OT infrastructure within hours — a process that traditionally required specialized expertise and days of manual effort.

    The defensive implications are clear: prevention-only strategies are no longer sufficient. Organizations that lack OT network visibility will not detect AI-speed reconnaissance before it reaches the IT-OT boundary. The SANS Five Critical Controls framework provides the right foundation, but the window for implementation is narrowing.

    ▼ Bottom Line

    If your OT security strategy depends on adversaries not finding your industrial systems, that assumption is now invalid. AI will find them for attackers who can’t find them themselves. Invest in visibility, detection, and response — not just prevention.

    Sources and Further Reading

    1. Dragos, “AI in the Breach: How an Adversary Leveraged AI to Target a Water Utility’s OT,” May 6, 2026 — dragos.com
    2. Dragos, “AI-Assisted Compromise of Mexican Water Utility with OT Implications” (Full Report) — hub.dragos.com
    3. Gambit Security — Original research and artifact recovery from Mexican government intrusion campaign
    4. SANS, “Five Critical Controls for ICS Cybersecurity” — sans.org
    5. MITRE ATT&CK for ICS — attack.mitre.org

    Published by IndustrialSecOps — Practical OT security intelligence for defenders who protect what matters.

  • Backdooring PLCs at Scale: How Three CODESYS Vulnerabilities Let Attackers Own Industrial Control

    Backdooring PLCs at Scale: How Three CODESYS Vulnerabilities Let Attackers Own Industrial Control

    Backdooring PLCs at Scale: How Three CODESYS Vulnerabilities Let Attackers Own Industrial Control

    IndustrialSecOps Research · May 2026 · 8 min read
    Tags: ICS Security, PLC, CODESYS, Vulnerability Research, Soft PLC, Supply Chain, OT Security

    ⚡ TL;DR for Defenders

    Three newly disclosed vulnerabilities in the CODESYS Control runtime (CVE-2025-41658, CVE-2025-41659, CVE-2025-41660) allow an authenticated attacker with low-privilege Service-level credentials to backdoor PLC applications, escalate to root, and seize full administrative control of the device. CODESYS powers Soft PLCs from hundreds of manufacturers — Beckhoff, WAGO, Schneider, ABB, and many others — making this one of the widest-impact ICS vulnerability chains disclosed in 2026. Patches are available. Apply them now.

    1. What Happened

    On April 23, 2026, Nozomi Networks Labs published detailed research into three chained vulnerabilities affecting the CODESYS Control runtime, the software engine at the heart of Soft PLCs used across manufacturing, energy, water treatment, and building automation worldwide.

    CODESYS is not a single vendor’s product. It is a manufacturer-independent IEC 61131-3 development and runtime platform integrated by hundreds of device makers into their hardware. When security researchers find flaws in CODESYS, the blast radius spans an enormous cross-vendor footprint — from a single Raspberry Pi test bench to production-floor PLCs governing safety-critical processes.

    The three CVEs discovered by Nozomi Labs are:

    CVE Weakness CVSS v3
    CVE-2025-41658 Incorrect Default Permissions 5.5
    CVE-2025-41659 Incorrect Permission Assignment for Critical Resource 8.3
    CVE-2025-41660 Incorrect Resource Transfer Between Spheres 8.8

    Individually, each vulnerability represents a design weakness. Chained together, they form a complete privilege escalation pathway from a low-privilege Service user to root-level code execution and full device takeover.

    2. Technical Breakdown — The Attack Chain

    CODESYS Vulnerability Chain Attack Architecture - showing the 7-step attack flow from Service-level authentication through shellcode injection to root escalation across Attacker, Enterprise IT, DMZ, and OT Control Network zones
    Figure 1: CODESYS vulnerability chain attack architecture — 7-step privilege escalation from Service user to root across network zones

    How CODESYS Works

    The CODESYS ecosystem has two components: a Windows-based IDE (the Development System) where engineers write and compile IEC 61131-3 programs, and the Control runtime that executes those compiled applications on target hardware. The runtime compiles ladder logic, structured text, and other IEC languages directly into native machine code, then loads and runs that code in its own process — as root.

    This is by design for administrators. The security question is what happens when a non-administrative user can abuse the same execution model.

    The Privilege Model

    CODESYS defines four default privilege levels: Administrator, Developer, Service, and Watch. Service users have intentionally broad access because they need to create and restore backups of deployed applications. That backup capability is the critical enabler for this attack.

    The Seven-Step Chain

    1. Download the boot application. The attacker uses the Development System’s backup function to download the compiled .app binary and its CRC checksum file.
    2. Access cryptographic material (CVE-2025-41659). Exploit incorrect permissions to retrieve encryption keys and certificate authority material from the device.
    3. Bypass cryptographic protections. Decrypt the application, modify it, re-encrypt it, and re-sign modified code using attacker-controlled trusted material.
    4. Tamper with the boot application. Inject shellcode into the compiled binary — a sophisticated attacker hooks a rarely executed branch to maintain stealth.
    5. Recompute the checksum. The .crc file uses simple CRC32 with no cryptographic signature — trivial to recalculate.
    6. Restore the tampered backup (CVE-2025-41660). Upload the backdoored application to the device, overwriting the legitimate one.
    7. Wait for restart → root → Admin. On application restart, injected code executes as root. The attacker modifies the CODESYS user database to grant themselves Administrator privileges.

    Local Access Bootstrapping (CVE-2025-41658)

    If the attacker has local OS access but lacks CODESYS credentials, CVE-2025-41658 provides the entry point: incorrect default file permissions expose the file containing CODESYS password hashes to any local user, enabling offline credential extraction.

    3. Who Is Affected

    This is not a single-vendor problem. CODESYS Control runtimes are embedded in products from hundreds of manufacturers. Any device running an affected version is vulnerable, regardless of the hardware brand on the nameplate.

    🏭 Manufacturing
    Robotic arms, conveyors, CNC machines
    ⚡ Energy
    Generation, transmission, distribution controllers
    💧 Water & Wastewater
    Treatment automation, pump control
    🏢 Building Automation
    HVAC, elevator controls, fire suppression

    All vulnerabilities are fixed in CODESYS Control Runtime v4.21.0.0 and Runtime Toolkit v3.5.22.0.

    4. Why This Matters — The Supply Chain Amplifier

    Most ICS vulnerability disclosures affect a single vendor’s product line. CODESYS is different. It functions as a shared software supply chain component — a runtime engine that device manufacturers license and integrate. A vulnerability in CODESYS is effectively a vulnerability in every product built on it.

    This creates compounding challenges:

    • Patch coordination complexity. CODESYS Group issues the fix, but each device manufacturer must validate, repackage, and distribute updates for their specific hardware. Some will be fast; others will take months.
    • Asset visibility gaps. Many operators don’t know which devices run CODESYS under the hood. The brand on the HMI panel may say Beckhoff or WAGO — but the vulnerable runtime is the same.
    • Long device lifecycles. Industrial controllers often run for 15–20 years. Devices deployed before these patches may never receive updates.
    This is the ICS equivalent of the Log4j problem: a shared component vulnerability that propagates silently through the supply chain.

    5. MITRE ATT&CK for ICS Mapping

    Technique Relevance
    T0839 — Module Firmware Replacing the legitimate control application with a backdoored version
    T0831 — Manipulation of Control Changing setpoints, overriding safety interlocks, falsifying sensor readings
    T0882 — Theft of Operational Information Extracting compiled control logic, credentials, and cryptographic material
    T0859 — Valid Accounts Exploiting default or extracted credentials to authenticate as a Service user

    6. Defensive Recommendations

    🔴 Immediate (This Week)

    • Patch now. Update all CODESYS Control runtimes to v4.21.0.0 or later. Contact your device manufacturer for hardware-specific firmware updates.
    • Inventory your CODESYS footprint. Many OEM products don’t advertise CODESYS branding — check firmware details and vendor documentation.
    • Rotate Service-level credentials. Change any default or weak passwords immediately.
    • Restrict network access. Limit connectivity to CODESYS management ports to designated engineering workstations on segmented networks.

    🟡 Short-Term (30 Days)

    • Enable code signing. Patched versions make it mandatory by default — verify enforcement in your deployment.
    • Monitor backup/restore operations. Alert on unexpected backup downloads or restores outside maintenance windows.
    • Audit privilege assignments. Review Service-level access justification across all accounts.

    🟢 Long-Term (Ongoing)

    • Deploy OT network monitoring. Detect CODESYS protocol activity, unauthorized connections, and anomalous behavior.
    • Maintain an SBOM. Track shared runtime components across your device fleet for immediate impact assessment on future disclosures.
    • Establish manufacturer patch SLAs. Set expectations with device vendors for turnaround time on embedded component security patches.

    7. The Bigger Picture — Why Soft PLCs Change the Risk Equation

    The shift from dedicated hardware PLCs to Soft PLCs delivers real operational benefits: lower costs, flexible deployment, easier updates. But it also changes the attack surface fundamentally.

    A traditional hardware PLC runs proprietary firmware on a specialized processor. A Soft PLC runs compiled code on Linux — the same Linux attackers have spent decades learning to exploit. When that runtime process executes as root (as CODESYS does by design), every vulnerability in the runtime is a root-level vulnerability on the host OS.

    This doesn’t mean Soft PLCs are inherently less secure. It means defenders must apply the same rigor to Soft PLC security that they would to any root-level service: least privilege, mandatory code signing, network segmentation, and continuous monitoring.

    8. IndustrialSecOps Analyst Assessment

    Severity: HIGH — Patch Immediately

    This vulnerability chain represents one of the most impactful ICS disclosures of 2026 due to the cross-vendor footprint. The attack is not theoretical — Nozomi demonstrated a complete chain from Service-level access to root shell. The only limitation is that the attacker must wait for an application restart, a constraint that operational environments regularly satisfy through maintenance cycles, firmware updates, and routine reboots.

    The remediation path (patching and enabling mandatory code signing) is clear, but the real challenge is the supply chain propagation delay. Organizations that rely solely on their device vendor’s patch cycle will remain exposed long after the CODESYS fix is available.

    Bottom line: Know your CODESYS footprint. Patch what you can. Monitor what you cannot.

    9. Sources and Further Reading

    IndustrialSecOps.com — Defending the systems that run the physical world.

  • Iranian APT Actors Are Actively Compromising Internet-Exposed PLCs Across US Critical Infrastructure

    Iranian APT Actors Are Actively Compromising Internet-Exposed PLCs Across US Critical Infrastructure

    On April 8, 2026, a joint advisory from the FBI, CISA, NSA, EPA, DOE, and US Cyber Command confirmed that Iranian-affiliated advanced persistent threat (APT) actors are actively exploiting internet-connected programmable logic controllers (PLCs) across multiple US critical infrastructure sectors. The attacks — attributed to actors linked to the CyberAv3ngers group and Iran’s Islamic Revolutionary Guard Corps (IRGC) — have resulted in manipulation of HMI and SCADA displays, disruption of PLC operations, and confirmed cases of operational disruption and financial loss.

    This is not a future threat scenario. It is happening now in production environments. OT defenders, plant managers, and security architects must treat this as an immediate action item.

    What Happened

    Since March 2026, US cybersecurity agencies have observed Iranian-affiliated APT actors using overseas-based IP addresses to access internet-facing Rockwell Automation/Allen-Bradley PLCs, specifically CompactLogix and Micro850 devices. The attackers leveraged leased, third-party hosted infrastructure along with legitimate configuration software, Rockwell Automation’s Studio 5000 Logix Designer, to establish accepted connections to victim PLCs.

    Once connected, the adversaries:

    • Maliciously interacted with PLC project files
    • Manipulated data displayed on HMI and SCADA systems
    • Disrupted PLC function in active operational environments
    • Deployed Dropbear SSH software on victim endpoints for persistent remote access via port 22

    Targeted communication ports include 44818 (EtherNet/IP), 2222, 102 (S7comm/Siemens), 22 (SSH), and 502 (Modbus). The targeting of ports associated with other vendors’ protocols, including Siemens S7 PLCs, indicates the campaign may extend beyond Rockwell Automation devices.

    The affected sectors include water and wastewater systems (WWS), energy, and government services and facilities, including local municipalities. Some victims experienced confirmed operational disruption and financial losses.

    Why This Matters for OT/ICS Environments

    This advisory represents a significant escalation in nation-state targeting of operational technology. Several factors make this particularly concerning:

    1. Direct PLC compromise, not just IT network intrusion

    Unlike many OT-related incidents that stop at the enterprise or DMZ layer, this campaign involves direct manipulation of Level 1 control devices. The attacker is not simply stealing data — they are altering the physical process.

    2. Legitimate tools used as attack vectors

    The use of Studio 5000 Logix Designer — the same engineering software used by plant operators — makes detection significantly harder. The PLC sees a legitimate protocol handshake from legitimate software. Standard signature-based detection will miss this.

    3. Internet exposure as the primary attack surface

    Every compromised device was directly reachable from the internet. No zero-day exploit was needed. No sophisticated supply chain compromise. The adversaries simply connected to PLCs that should never have been exposed.

    4. Geopolitical escalation driving operational risk

    The advisory explicitly ties this activity to Iranian retaliation in response to US-Israeli hostilities. Critical infrastructure operators must assume elevated targeting during periods of geopolitical tension.

    5. Cross-sector and cross-vendor implications

    While the confirmed targets are Rockwell Automation devices, the port scanning activity against S7comm (Siemens), Modbus, and other protocols suggests the threat extends to any internet-exposed PLC or RTU, regardless of manufacturer.

    High-Level Attacker Pathway Analysis

    Note: This section provides a defensive, conceptual-level analysis of the attack path. No exploit code, payloads, commands, or weaponized procedures are included. The purpose is to help defenders understand where to validate controls.

    The attack path observed in this campaign follows a disturbingly simple pattern:

    Reconnaissance → Direct Access → Configuration Manipulation → Operational Impact

    1. Internet scanning and enumeration: Adversaries scan for internet-exposed devices on known ICS ports (44818, 502, 102, 2222). Publicly available search engines make this trivial.
    2. Trust boundary failure: PLCs exposed directly to the internet have no intermediary security control — no firewall, no jump host, no VPN, no authentication gateway. The attacker reaches the device as if they were on the local OT network.
    3. Legitimate protocol exploitation: Using commercially available engineering software (Studio 5000), the attacker establishes a connection that the PLC treats as a valid engineering session. There is no exploit — the PLC is functioning exactly as designed, accepting connections from any authorized client.
    4. Project file and logic manipulation: Once connected, the adversary can modify PLC project files. This allows changes to control logic, setpoints, alarm thresholds, or display values on connected HMIs.
    5. Persistent access via SSH: The deployment of Dropbear SSH on victim endpoints creates a backdoor for ongoing access, independent of the ICS protocols used for initial entry.
    6. Operational disruption: Altered logic or display values can cause incorrect operator actions, safety system failures, process disruptions, or equipment damage — without the operator being aware the system has been compromised.

    What Defenders Should Validate Immediately

    • Are any PLCs, RTUs, or ICS devices directly accessible from the internet? Scan your own external perimeter for ports 44818, 2222, 102, 22, and 502.
    • Are engineering workstation connections to PLCs logged and monitored? Can you distinguish between a legitimate engineer and an unauthorized remote connection?
    • Do PLCs require authentication before accepting configuration changes? Many legacy PLCs accept connections from any client running the correct software.
    • Is remote access to OT environments routed through a hardened jump host with MFA? Or can someone with VPN credentials reach Level 1 devices directly?
    • Are PLC project files baselined and monitored for unauthorized changes? Configuration drift detection is critical.
    • Have you audited cellular modems and other out-of-band connectivity that may provide unmonitored internet paths into your OT network?

    Defensive Recommendations

    Based on the joint advisory and aligned with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs 2.0), the following actions are prioritized:

    Immediate (24–72 Hours)

    1. Disconnect PLCs from public-facing networks. This is the single most impactful action. No PLC should be directly reachable from the internet under any circumstances.
    2. Audit all external-facing ports on OT network segments for 44818, 2222, 102, 22, and 502.
    3. Disable default credentials on all PLCs, HMIs, and network infrastructure in OT environments.
    4. Verify offline backups of PLC project files and configurations exist and are tested.
    5. Review remote access pathways — identify every VPN, cellular modem, and vendor maintenance connection into OT networks.

    Short-Term (1–4 Weeks)

    1. Enforce multi-factor authentication on all remote access to OT environments.
    2. Deploy VPN, firewall, and proxy controls between enterprise IT and OT zones.
    3. Implement passive network monitoring on control system networks to detect anomalous ICS protocol traffic.
    4. Baseline PLC configurations and establish automated drift detection.
    5. Disable unused services and ports on all OT network devices.

    Ongoing

    1. Conduct regular vulnerability scans and asset exposure assessments of OT environments.
    2. Exercise and test incident response plans that explicitly address loss of control system integrity — not just data confidentiality.
    3. Map security controls to MITRE ATT&CK for ICS techniques referenced in the advisory.
    4. Monitor for IoCs published in the advisory across both IT and OT network telemetry.
    5. Engage with sector-specific ISACs for updated threat intelligence during periods of elevated geopolitical risk.

    Architecture Implications

    This attack exploits the most fundamental architectural failure in OT security: direct internet exposure of control system devices without intermediary security controls.

    A properly segmented OT architecture based on the Purdue Model / IEC 62443 zones and conduits should ensure that:

    • Level 0–1 devices (PLCs, RTUs, sensors, actuators) are never directly reachable from untrusted networks
    • A DMZ separates the enterprise IT network from OT operations, with all traffic passing through defined conduits with inspection
    • Engineering workstation access to PLCs is tightly controlled, logged, and limited to authorized personnel on authorized workstations
    • Remote access is routed through a hardened jump host in the DMZ, with MFA, session recording, and time-limited access
    • Historian and data replication services operate in the DMZ, preventing direct queries from IT into OT
    • Network monitoring and anomaly detection (IDS/NTA) are deployed at zone boundaries to detect unauthorized ICS protocol traffic
    • Asset inventory provides a continuously updated view of all OT devices, firmware versions, and network exposure

    The below architecture diagram maps these controls to the specific threat described in this advisory, highlighting the exposure points and defensive control positions.

    Key Takeaways

    1. Internet-exposed PLCs are being actively compromised by nation-state actors. This is confirmed, ongoing, and causing real operational damage.
    2. No exploit is required. The attackers use legitimate engineering software against improperly exposed devices. Reduce the attack surface, not just patch vulnerabilities.
    3. Detection is hard when adversaries use legitimate tools. Invest in network monitoring, configuration baselining, and anomaly detection — not just signature-based controls.
    4. The Purdue Model exists for exactly this reason. Proper network segmentation with enforced zone boundaries would have prevented every observed attack in this campaign.
    5. Geopolitical tension translates directly to OT risk. Critical infrastructure operators must maintain elevated monitoring during periods of international conflict.
    6. Manufacturers must deliver secure-by-default products. PLCs that accept unauthenticated connections from any client with the right software are insecure by design.
    7. Incident response plans must address control system integrity. Restoring a compromised PLC is not the same as reimaging a compromised server.

    Conclusion

    This joint advisory is a clear signal: the era of theoretical OT threats is over. Nation-state actors are actively compromising PLCs in production environments, manipulating control logic, and causing operational disruption across US critical infrastructure.

    The defenses are not mysterious. Disconnect PLCs from the internet. Segment your networks. Monitor for anomalous connections. Baseline your configurations. Enforce authentication. Test your recovery procedures.

    Every one of these actions is within the capability of any organization operating industrial control systems. The question is not whether defenders know what to do — it is whether they will do it before the next intrusion moves from disruption to damage.

    For OT defenders: treat this advisory as a direct tasking. Validate your architecture. Close your exposure gaps. Prepare your response plans. The adversary is already inside the wire.

    Published on IndustrialSecOps.com — Practical OT security intelligence for defenders who protect the systems that keep the world running.