Overview

CISA released nine ICS advisories in June 2026 covering vulnerabilities in industrial control system products across multiple vendors. Three deserve particular attention from OT security practitioners: a privilege escalation flaw in Inductive Automation Ignition (widely deployed as an SCADA/HMI platform in manufacturing and energy), an OS command injection vulnerability in ICONICS GENESIS64 and Mitsubishi Electric MC Works64 (broad deployments across critical infrastructure in North America and Japan), and a series of vulnerabilities in Axis network cameras increasingly deployed in industrial environments for OT visibility.

Inductive Automation Ignition — ICSA-26-162-01

CVSSv3 Score: 6.4 (Medium)
Vulnerability: Execution with unnecessary privileges (CWE-250)
Affected versions: Ignition versions prior to the vendor-specified patch release
Advisory: ICSA-26-162-01

Inductive Automation Ignition is a widely deployed SCADA/HMI platform used extensively in manufacturing, food and beverage processing, water/wastewater, and oil and gas operations. Its cross-platform architecture (Java-based, browser-accessible designer) makes it popular for greenfield OT deployments and IT/OT convergence projects.

The vulnerability allows an authenticated attacker to gain elevated access beyond their assigned role through a privilege escalation path in Ignition’s internal execution context. CISA’s description — “execution with unnecessary privileges” — indicates that certain Ignition processes run with elevated privileges that are not required for their function, and that an attacker with standard user credentials can leverage this to escalate.

Operational context: Ignition deployments often bridge IT and OT networks. An attacker who has compromised an IT-side account with Ignition access — or an insider with designer-level credentials — could use this vulnerability to gain broader access to the Ignition gateway, potentially including:

  • Access to Ignition Tags connected to PLCs and field devices
  • Read/write access to process data that should be restricted
  • Gateway configuration access enabling further pivot into the OT environment

Remediation: Apply vendor patch per Inductive Automation’s advisory. Where immediate patching is not possible (which in live production environments is often the case), restrict Ignition gateway access to the minimum necessary users and review current role assignments to ensure privilege separation is enforced.

ICONICS GENESIS64 / MobileHMI / MC Works64 — ICSA-26-162-02

CVSSv3 Score: 8.2 (High)
Vulnerability: Improper neutralization of special elements in OS commands — OS command injection (CWE-78)
CVE: CVE-2025-11774
Affected products: GENESIS64, ICONICS Suite, MobileHMI, and Mitsubishi Electric MC Works64
Advisory: ICSA-26-162-02

GENESIS64 is ICONICS’s flagship SCADA/HMI platform, and MC Works64 is the OEM version distributed by Mitsubishi Electric. Both are widely deployed across energy management systems, building automation, manufacturing MES, and transport infrastructure in North America, Europe, and Japan. MobileHMI extends GENESIS64 access to mobile devices.

An OS command injection vulnerability in these products allows an attacker to execute arbitrary operating system commands in the context of the GENESIS64 server process. Command injection at the SCADA layer is severe: GENESIS64 typically runs on Windows servers with connectivity to historians, engineering workstations, and field device communication drivers. Successful exploitation could enable:

  • Arbitrary code execution on the GENESIS64 server
  • Access to process data, historian records, and operator interface configurations
  • Pivot into connected OT networks and field device segments
  • Deployment of additional tools or ransomware in the OT environment

Attack surface considerations: The exploitability of this vulnerability depends on how the affected products are accessed. If the GENESIS64 server is accessible to authenticated users over the network (which is standard in most deployments), any authenticated user — including standard operator accounts — may be able to exploit this. In Mitsubishi’s advisory language, this typically means the vulnerability is exploitable by “low-privileged remote users” in network-accessible configurations.

Remediation:

  • Apply the patch from ICONICS/Mitsubishi per the vendor advisory
  • If patching requires a planned outage window, implement network access controls to restrict GENESIS64 server access to the minimum necessary client systems
  • Review user accounts on GENESIS64 servers and remove any accounts that are no longer active
  • Ensure that MobileHMI endpoints are not internet-accessible; place them behind VPN with MFA

Axis Network Cameras in OT Environments — ICSA-26-162-03

Severity: Multiple vulnerabilities, CVSS scores not publicly disclosed at time of advisory
Affected products: Multiple Axis camera models
Advisory: ICSA-26-162-03

While network cameras may seem peripheral to an ICS security briefing, their inclusion in CISA’s ICS advisory bundle reflects a real operational trend. Axis cameras are increasingly deployed in OT environments for industrial vision systems — machine vision on production lines, perimeter monitoring of critical facilities, and remote visual inspection of equipment. In these deployments, cameras are often placed on OT network segments with connectivity to engineering workstations and historian systems.

A compromised network camera in an OT environment is not merely a surveillance risk — it is a foothold on the OT segment from which an attacker can conduct reconnaissance, intercept network traffic, and (depending on network configuration) reach PLC and SCADA systems. This is the attack vector that has historically been underweighted in OT risk models because cameras “aren’t OT devices” — a categorisation that doesn’t reflect actual network topology.

Remediation:

  • Identify all Axis cameras on OT network segments (this often requires passive network discovery — cameras may not be in asset inventories)
  • Apply firmware updates per Axis’s advisory
  • Network-segment cameras onto a dedicated VLAN with firewall rules permitting only the specific flows required (video to monitoring workstation, management from dedicated jump host)
  • Ensure cameras are not internet-accessible; disable UPnP and remote cloud features in OT deployments

Broader June 2026 ICS Advisory Context

The June 2026 advisory bundle also included vulnerabilities from Schneider Electric, Rockwell Automation, National Instruments, and Advantech. The consistent pattern across this advisory bundle — elevated privilege paths, command injection, and information disclosure in network-accessible management interfaces — reflects the same structural issues that have characterised ICS vulnerability disclosures throughout 2025-2026.

Key patterns for OT defenders:

  • SCADA/HMI platform vulnerabilities (Ignition, GENESIS64) are particularly high priority because these systems typically have broad connectivity within OT networks and are operated by accounts whose credentials are more widely distributed than field device credentials
  • Network-adjacent devices (cameras, industrial networking equipment) need to be included in OT asset inventories and patch management programmes — they are in scope for OT attacks even if they are not “control system” devices
  • The volume of ICS advisories (508 in 2025, on pace to exceed that in 2026) means that prioritisation frameworks are essential; CVSS alone is insufficient — operational connectivity and network position must inform priority

For NERC CIP-regulated environments, the Ignition and GENESIS64 vulnerabilities should be evaluated under the patch management standard (CIP-007-6 R2) and logged appropriately if the patch timeline exceeds the standard’s requirements.

  1. Ignition (ICSA-26-162-01): Review user privilege assignments immediately; apply patch at next available maintenance window
  2. GENESIS64/MC Works64 (CVE-2025-11774): Apply vendor patch; restrict network access to GENESIS64 servers in the interim; review and disable unused user accounts
  3. Axis cameras on OT networks: Identify, update firmware, and enforce network segmentation; treat as full OT assets in patch management processes
  4. General: Subscribe to CISA ICS-CERT advisories at cisa.gov/ics for the complete advisory set — this roundup covers the highest-priority items but the full June bundle includes additional affected vendors
Tags
CISAICS-advisoryInductive-AutomationIgnitionICONICSGENESIS64MitsubishiSCADAHMIcommand-injectionOT-security