Claroty’s 2026 State of XIoT Security report, published this month, provides the most comprehensive annual dataset on vulnerability disclosures across the extended internet of things — operational technology, industrial IoT, and connected medical and building systems. The headline finding: total OT vulnerability disclosures hit a new annual high in 2025, continuing a four-year trend of accelerating disclosure volume.
What the Data Shows
The 2026 report analyses vulnerability data from CISA ICS-CERT advisories, vendor security bulletins, and researcher disclosures throughout 2025. Key data points:
Disclosure volume: OT/ICS vulnerabilities disclosed in 2025 surpassed the previous record set in 2024. The acceleration is driven by three concurrent factors: increased researcher attention on OT targets, mandatory disclosure requirements under NIS2 in Europe pulling previously unreported vulnerabilities into formal channels, and vendors accelerating their own proactive disclosure programs in response to regulatory pressure.
Severity distribution: 82% of disclosed OT vulnerabilities are rated high (CVSS 7.0–8.9) or critical (CVSS 9.0+). This figure has remained consistently high across successive Claroty reports. For OT defenders, this creates a structural problem: if more than four in five disclosed vulnerabilities are rated high or critical, severity ratings lose their prioritisation value. Risk scoring that factors in exploitability, internet exposure, compensating controls, and operational context becomes essential.
Affected categories: Field controllers — PLCs, RTUs, and DCS components — remain the largest category of affected devices, accounting for approximately one-third of all disclosures. SCADA/HMI software and OT network infrastructure (industrial switches, routers, firewalls) together account for another substantial share. The report also documents a growing category: vulnerabilities in OT remote access solutions, including industrial VPNs and remote desktop tools designed for OT environments, which introduce internet-facing exposure into networks that previously had none.
No-patch exposure: A significant proportion of disclosed vulnerabilities have no vendor patch available at the time of disclosure — either because the product is end-of-life, the vendor has not yet released a fix, or the fix requires hardware replacement. This category is growing, driven by the long operational life cycles of ICS equipment and a growing number of EoL devices still in active industrial use.
What Practitioners Actually Need to Know
The report’s aggregate numbers matter less than two operational implications.
Patch management fundamentally does not work in OT the same way it does in IT. The median time to patch a critical IT vulnerability in enterprise environments is measured in days to weeks. For OT environments, PLC firmware updates and SCADA software patches require operational change windows coordinated with process engineering, vendor-supplied qualification testing, and in some cases manual updates to field devices without remote access. The practical patch cycle for OT is measured in months to quarters — and some vulnerabilities in embedded field devices will never be patched.
Internet exposure is the most actionable risk factor. Regardless of CVSS score, a vulnerability on a device with no external network exposure represents a fundamentally different risk than the same vulnerability on an internet-connected HMI. The Claroty data shows continued high rates of internet-exposed OT devices — a figure that has not declined materially despite years of hardening guidance. For teams with limited capacity to work through an accelerating vulnerability backlog, internet exposure reduction provides the highest return on effort.
Compensating Controls for Unpatched Exposure
For vulnerabilities where patching is not immediately feasible:
Network segmentation and access control — ensure vulnerable devices are not reachable from corporate IT networks, the internet, or from each other except through controlled, logged jump hosts or firewalls with explicit permit rules.
Vulnerability-specific signatures — deploy IDS/IPS rules or passive monitoring signatures for known exploitation patterns. Several OT security vendors (Claroty, Dragos, Nozomi Networks, Forescout) provide detection content for disclosed vulnerabilities, including ones without patches.
Enhanced monitoring — increase log verbosity and alerting sensitivity around affected assets. Anomalous connection attempts, unexpected protocol commands, and unusual operator credential activity can surface exploitation attempts.
Change freeze — for the most critical affected devices in production environments, a formal change freeze with enhanced monitoring may be more practical than attempting to patch during a live campaign or following a major advisory release.
References
- Claroty 2026 State of XIoT Security Report: https://claroty.com/resources/reports
- CISA ICS-CERT advisories (current): https://www.cisa.gov/ics-advisories
- NIST NVD OT/ICS vulnerability data: https://nvd.nist.gov