United States

Hitachi Energy Ellipse Remote Code Execution Vulnerability

CISA ICS-CERT published advisory ICSA-26-092-03 disclosing a critical remote code execution vulnerability (CVE-2025-10492, CVSS 9.8) in Hitachi Energy Ellipse versions 9.0.50 and prior. The vulnerability exists in the Jasper Report third-party component due to improper Java deserialization handling. Organizations using affected Ellipse versions face immediate risk of remote compromise. Mitigation involves restricting loading of external custom reports to trusted sources only.

Yokogawa CENTUM VP Hardcoded Password Vulnerability CVE-2025-7741

CISA ICS-CERT published advisory ICSA-26-092-02 disclosing CVE-2025-7741, a hardcoded password vulnerability in Yokogawa CENTUM VP distributed control systems affecting versions R5.01.00 through R7.01.00. The vulnerability (CVSS 3.1 score 4.0 Medium) allows attackers with access to HIS screen controls to login as the PROG user and potentially modify permissions. CISA recommends changing to Windows Authentication Mode or applying vendor patches as mitigations.

Siemens SICAM 8 Vulnerabilities - Denial of Service and Out-of-Bounds Write Patches

CISA ICS-CERT released advisory ICSA-26-092-01 identifying two vulnerabilities in Siemens SICAM 8 industrial control products. CVE-2026-27663 is a medium-severity denial-of-service vulnerability (CVSS 6.5) caused by resource exhaustion under high request volumes. CVE-2026-27664 is a high-severity out-of-bounds write vulnerability (CVSS 7.5) exploitable through malicious XML input. Affected products include CPCI85, RTUM85, and SICORE firmware versions prior to V26.10. Siemens recommends updating to V26.10 or later.

CVE-2026-3502 TrueConf Vulnerability Added to KEV Catalog

CISA added CVE-2026-3502, a TrueConf Client vulnerability involving code download without integrity verification, to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. The vulnerability poses significant risk as a frequent attack vector for malicious cyber actors. Although Binding Operational Directive 22-01 only mandates remediation for Federal Civilian Executive Branch agencies, CISA strongly urges all organizations to prioritize timely remediation.

State v. Seddens - 404(b) Evidence Admissibility

The New Jersey Superior Court Appellate Division affirmed defendant Eric T. Seddens' manslaughter conviction, rejecting his challenge to the trial court's admission of prior assault evidence under N.J.R.E. 404(b) to prove motive and identity in the homicide case. The three-judge panel found the trial court did not abuse its discretion, determining the prior aggravated assault against the same victim at the same location two years earlier was sufficiently related to the fatal incident, despite the defendant's arguments about lack of sanitization and availability of less prejudicial evidence.

State v. Walls - Evading Arrest and Felon Firearm Possession

The Tennessee Court of Criminal Appeals reversed in part a Giles County trial court's denial of a motion for new trial for defendant Lacy Frank Walls, III, who received an effective 40-year sentence for evading arrest and three counts of felon in possession of a firearm. The appellate court found the trial court erred by refusing to consider sentencing-related issues in the motion for new trial.

Bulatov v. North East Medical Services - Contract Dispute

Northern District of California received a Notice of Removal from San Francisco County Superior Court, Case No. CGC-26-634184. Plaintiff Bulatov filed against North East Medical Services in a federal question contract dispute. North East Medical Services filed the removal with a $405 filing fee.

Lindsay Dealerships Settlement - Consumer Protection Violation

Maryland Attorney General Anthony G. Brown and the FTC announced a settlement with Lindsay Ford, Lindsay Chevrolet, Lindsay Chrysler/Dodge/Jeep/Ram, and associated owners and officers. The settlement requires refunds of over $75 million to consumers who paid more than advertised prices or were charged for add-on products without consent between April 1, 2020 and December 31, 2025. The Stipulated Order permanently restrains the defendants from deceptive pricing practices.

Bank Impersonation Scam Enforcement Action

The FCC issued a Notice of Apparent Liability proposing $45 million in forfeitures against telecommunications carriers for Robocall Mitigation Database (RMD) Rule violations linked to bank impersonation scams routed through suspicious foreign call traffic. The enforcement action targets carriers that allegedly facilitated fraudulent calls impersonating banks to U.S. consumers.

Voxbeam faces $4.5M FCC forfeiture for RMD violations

The FCC's Enforcement Bureau issued a Notice of Apparent Liability (NAL) proposing a $4.5 million forfeiture against Voxbeam Telecommunications Inc. for violating Robocall Mitigation Database (RMD) requirements. The company transmitted calls from a provider that was not listed in the RMD, violating federal robocall rules under the TRACED Act.