Overview

CISA released a bundle of seven ICS advisories on May 21, 2026. This analysis covers the three highest-impact advisories affecting WAGO PFC controllers, AVEVA Plant SCADA, and Beckhoff TwinCAT runtime — platforms with broad deployment across industrial automation, process manufacturing, and building control sectors.


Advisory 1: WAGO PFC100/PFC200 — Unauthenticated Command Injection (ICSA-26-141-02)

Severity: Critical (CVSS 9.8)

WAGO’s PFC100 and PFC200 series PLCs, running the WAGO Linux-based firmware, contain an unauthenticated OS command injection vulnerability in the device’s web-based management interface. An attacker with network access to the PFC’s web management port (TCP 8080 by default) can inject OS commands through an unvalidated CGI parameter and execute them as root on the underlying Linux system.

Affected versions: PFC100 firmware prior to 03.14.07(21), PFC200 firmware prior to 03.14.07(21).

WAGO PFC controllers are used in automation applications including machine control, process monitoring, building automation, and renewable energy systems (inverter control, substation I/O). Their Linux-based architecture makes them versatile but also means OS-level compromise gives an attacker a general-purpose Linux system inside the OT network — a useful pivot point.

Remediation: Update to firmware 03.14.07(21) or later. If immediate update is not feasible, disable the web management interface via WAGO e!COCKPIT configuration, or block TCP 8080 at the network layer.


Advisory 2: AVEVA Plant SCADA — Heap Use-After-Free in Historical Data Server (ICSA-26-141-04)

Severity: High (CVSS 8.1)

AVEVA Plant SCADA (formerly Citect SCADA) contains a heap use-after-free vulnerability in the Historical Data Server (HDS) component. HDS is the Plant SCADA subsystem responsible for retrieving and serving historical process data to operator displays, reports, and third-party integrations. The flaw is triggered by a malformed request to the HDS via the AVEVA Historian protocol.

An authenticated attacker — or an unauthenticated attacker if the HDS is accessible without authentication (a common misconfiguration) — can trigger the use-after-free to cause a server crash or, with further development, achieve code execution in the context of the HDS process.

Affected versions: AVEVA Plant SCADA 2023 R2 and earlier. AVEVA has released Plant SCADA 2024 R1 addressing the flaw.

AVEVA Plant SCADA is deployed in utilities (electric, water, gas), manufacturing, mining, and oil and gas operations globally. The historical data function is a common integration point with third-party analytics, MES systems, and business intelligence tools — paths that may traverse network boundaries.

Remediation: Upgrade to Plant SCADA 2024 R1. As an interim measure, restrict HDS access to authorised client systems using AVEVA’s built-in access control configuration and network ACLs.


Advisory 3: Beckhoff TwinCAT 3 — ADS Protocol Stack Overflow (ICSA-26-141-06)

Severity: High (CVSS 7.8)

Beckhoff’s TwinCAT 3 runtime environment contains a stack-based buffer overflow in the ADS (Automation Device Specification) protocol stack. ADS is Beckhoff’s proprietary communication protocol for PC-based control systems, used to communicate between TwinCAT runtimes, engineering tools (TwinCAT XAE), and third-party ADS clients. The overflow is triggered by a malformed ADS request packet.

An attacker on the network can trigger the overflow by sending a crafted ADS packet to the TwinCAT runtime’s ADS port (TCP/UDP 48898). Successful exploitation can crash the TwinCAT runtime or, in certain conditions, execute code in the context of the TwinCAT service (which runs with SYSTEM privileges on Windows).

Affected versions: TwinCAT 3.1 Build 4024.x and earlier. Beckhoff has released TwinCAT 3.1 Build 4026 addressing the flaw.

Beckhoff TwinCAT is widely deployed in PC-based machine control, robotics, semiconductor equipment, and laboratory automation. The ADS protocol is an inter-process communication mechanism that many applications use internally and externally — making broad ADS exposure a common deployment configuration.

Remediation: Update to TwinCAT 3.1 Build 4026 or later. Restrict ADS port (TCP/UDP 48898) access to authorised engineering workstations and integration clients.


Cross-Advisory Observation

All three advisories share a common risk pattern: default or misconfigured exposure of management and communication interfaces to network segments broader than operationally required. WAGO’s web management port, AVEVA’s HDS, and Beckhoff’s ADS port are legitimate functional components — but each represents an exploitable surface when exposed beyond its intended access perimeter. Network segmentation and access control reviews remain the most broadly applicable compensating control across OT advisory cycles.

References

Tags
CISAICS-CERTWAGOAVEVABeckhoffTwinCATPFCPlant-SCADACitectRCEauthenticationmanufacturingbuilding-automation