Overview

CISA released a coordinated bundle of eight Industrial Control Systems (ICS) advisories on May 28, 2026, alongside one medical device advisory. The advisories span transportation logistics management, CNC motion control software, industrial IoT converters, and building automation systems. Two advisories warrant immediate attention from operational technology security teams: the deserialization vulnerability in Kaleris Navis N4 (global port and logistics management) and the out-of-bounds write in Delta Electronics CNCSoft (CNC manufacturing control).

This analysis covers the three highest-impact advisories in depth, with operational guidance for affected sectors.


Advisory 1: Kaleris Navis N4 — Deserialization and Cleartext Transmission (ICSA-26-148-01)

Vulnerability Summary

Kaleris Navis N4 is a terminal operating system (TOS) deployed at port terminals and logistics hubs globally for managing container movement, vessel operations, berth scheduling, and yard management. The advisory identifies two vulnerability classes:

Deserialization of Untrusted Data (CWE-502): Navis N4 versions prior to 4.0 are affected by an unsafe deserialization vulnerability in a network-accessible service component. Deserialization vulnerabilities in Java-based systems are among the highest-severity vulnerability classes in OT/ICS contexts — successful exploitation allows remote code execution without authentication in many configurations, giving an attacker full control over the application server and, by extension, the terminal operations data it manages.

Cleartext Transmission of Sensitive Information (CWE-319): Certain Navis N4 communication channels transmit authentication credentials and operational data in cleartext. In a terminal environment with extensive network infrastructure (cranes, AGVs, gate systems, vessel interfaces), cleartext credentials are accessible to any attacker with network position — either through prior compromise of the OT network segment or through interception of traffic.

Operational Impact

Navis N4 compromise has consequences beyond data theft. Terminal operating systems are the control plane for physical cargo operations. An adversary with code execution on a Navis N4 server could:

  • Manipulate container location records, disrupting port operations and customs clearance
  • Inject false vessel arrival or berth assignment data, causing operational scheduling failures
  • Exfiltrate cargo manifests including sensitive shipment data with national security implications
  • Pivot to adjacent systems (crane automation, gate management) via trusted network relationships

Port terminals using Navis N4 versions prior to 4.0 should treat this as a critical remediation priority, particularly for any instances with network exposure beyond a tightly controlled maintenance network.

Remediation

  • Update to Navis N4 version 4.0 or later — the patched version addresses both the deserialization and cleartext transmission vulnerabilities
  • Where immediate patching is not feasible, implement strict network segmentation isolating the Navis N4 application server from internet-accessible networks and from segments accessible to non-operations personnel
  • Audit network traffic from Navis N4 hosts for cleartext credential transmission; implement transport encryption at the network layer (IPSec or TLS inspection) as a compensating control
  • Review authentication logs on Navis N4 for anomalous access patterns preceding the patch deployment

Advisory 2: Delta Electronics CNCSoft — Out-of-Bounds Write (ICSA-26-148-04)

Vulnerability Summary

Delta Electronics CNCSoft is a CNC (Computer Numerical Control) programming and simulation software platform widely used in discrete manufacturing environments for machine tool programming, simulation, and production management. The affected version is CNCSoft 1.01.34 and earlier.

The vulnerability is an Out-of-Bounds Write (CWE-787) in the parsing of CNCSoft project files (.dpb files). When a maliciously crafted project file is opened, the parser writes data beyond the bounds of an allocated buffer. On modern systems with ASLR and DEP, exploitation requires a memory disclosure primitive to bypass protections, but in ICS environments where workstations may run older versions of Windows without current mitigations, exploitation to achieve arbitrary code execution on the engineering workstation is feasible.

Attack Scenarios

The most realistic attack vector in an OT environment is a malicious project file delivered via:

  • Spear-phishing: An email to a machine operator or process engineer with an attachment claiming to be a CNC program for a specific machine
  • USB media: Common in air-gapped manufacturing environments, where engineering workstations have limited network connectivity but are regularly updated via removable media
  • Compromised shared file location: If engineers share CNC programs via a network share that is accessible from both IT and OT segments, a compromised IT system could inject a malicious .dpb file

The target is the engineering workstation rather than the CNC controller directly. From a compromised engineering workstation, an attacker can modify legitimate CNC programs to introduce subtle errors in machined parts — a technique that has been demonstrated in academic research on manufacturing sabotage and is increasingly relevant as a supply chain concern for defence and aerospace manufacturers.

Remediation

  • Update CNCSoft to the latest patched version — Delta Electronics has released a patched version addressing CVE-2026-4618; refer to the vendor advisory for the exact patched release number
  • Restrict the ability to open CNCSoft project files from external sources; consider implementing file integrity monitoring on the directories containing production CNC programs
  • Apply application whitelisting on engineering workstations running CNCSoft to prevent execution of unsigned or unexpected binaries
  • Network isolation: engineering workstations with CNCSoft installed should not have direct outbound internet access

Advisory 3: ABB EIBPORT — Multiple Vulnerabilities (ICSA-26-148-03)

Vulnerability Summary

ABB EIBPORT is a building automation gateway that bridges KNX (EIB) building bus protocols with IP networks, providing web-based management of HVAC, lighting, access control, and energy management systems in commercial and industrial buildings. The advisory documents multiple vulnerabilities in the EIBPORT management interface.

The most significant findings include:

Authentication bypass in the web management interface: The management portal for affected EIBPORT versions has insufficient authentication controls that can be bypassed by a remote unauthenticated attacker with network access to the device.

Cross-Site Scripting (XSS) in management interface: Reflected XSS vulnerabilities allow injection of malicious scripts into the management UI, enabling session hijacking or credential theft from an authenticated administrator.

Operational Context

EIBPORT devices sit at a critical integration point: they translate between IP networks and KNX, the most widely deployed building bus protocol in Europe. A compromised EIBPORT can:

  • Modify HVAC setpoints and scheduling, affecting building comfort and energy consumption
  • Control lighting and access systems within the building
  • Pivot to other KNX-connected devices through the bus interface
  • Act as a persistent foothold in building automation networks, which are often connected to or accessible from corporate IT networks

For data centres, laboratories, hospitals, and high-security facilities where environmental control is operationally critical, EIBPORT compromise represents a higher-impact scenario than in typical commercial buildings.

Remediation

  • Apply the vendor-supplied firmware patch — ABB has released a patched firmware version; consult the CISA advisory and ABB product security portal for the specific version
  • Remove EIBPORT management interfaces from direct internet exposure — these devices should be accessible only from trusted management networks
  • Implement network access controls limiting which hosts can reach the EIBPORT management port
  • Review EIBPORT access logs for any unauthenticated access attempts

Cross-Cutting Operational Guidance

The May 28 bundle illustrates a persistent pattern in ICS vulnerability disclosures: complex, bespoke software components running in operational environments receive significantly less security scrutiny than enterprise IT software, and vulnerabilities when discovered are often in components that are difficult to patch without operational disruption.

For OT security teams processing this advisory bundle:

  1. Inventory first: Before patching or implementing mitigations, verify which versions of affected products are deployed and in which operational contexts. Kaleris Navis N4, Delta Electronics CNCSoft, and ABB EIBPORT all have deployment footprints that may not be visible in standard IT asset management systems.

  2. Validate patch applicability against operational constraints: CNC workstation patches typically require a change window coordinated with production scheduling. Terminal operating system patches at active port terminals require extensive testing. Plan accordingly.

  3. Implement detective controls while patching is in progress: For the Kaleris Navis N4 deserialization vulnerability specifically, monitoring outbound connections from the Navis application server for anomalous destinations provides a detection layer while patching is being scheduled.

The full CISA advisory bundle is available at cisa.gov/ics-advisories.

Tags
CISAICS-CERTKalerisNavis N4Delta ElectronicsCNCSoftABBEIBPORTdeserializationOOB-writetransportmanufacturing