OTPulse
/briefings
Bi-Weekly BriefingJune 1, 20267 min read

OTPulse Bi-Weekly Briefing - June 1, 2026

Jerrid Brown·OTPulse

CVSS 8.8, KEV-listed May 28. The CopyFail and DirtyFrag Linux kernel LPE chain is in active exploitation and now on Moxa industrial edge hardware. Here is what the chain does, why OT environments are more exposed than the preconditions suggest, and what to check this week.

Past two weeks in OT security

The most urgent item from the past two weeks is a KEV-listed advisory on Moxa industrial edge hardware - specifically a Linux kernel local privilege escalation chain called CopyFail and DirtyFrag. CISA published ICSA-26-148-08 on May 28, added it to the Known Exploited Vulnerabilities catalog the same day, and the underlying flaws have been confirmed in active attacks since early May.

The chain involves two separate research disclosures: CopyFail (CVE-2026-31431), a flaw in the Linux kernel's cryptographic template handling, and DirtyFrag (CVE-2026-43284, CVE-2026-43500), a related bug in the IPsec ESP and rxrpc in-place decryption path. Microsoft confirmed active attacks exploiting DirtyFrag on May 8. Elastic Security Labs published detection guidance and IOCs the following day. By May 28, Moxa had an ICS advisory out.

Beyond the Moxa KEV, this window also produced CVSS 9.8 advisories for an Eppendorf bioreactor controller, XCharge EV charging stations, and a PUSR RS-232/485-to-WiFi serial converter that shows up in water and manufacturing environments.

Top advisories to act on

Moxa CVE-2026-31431, CVE-2026-43284, CVE-2026-43500: Copy Fail and Dirty Frag Vulnerabilities in Linux Kernel
Act Now
CISA KEVExploited in wild

An unprivileged local user on an affected system can gain root-level control of the operating system, allowing complete compromise of the device and any processes it runs. In containerized environments, attackers could escape the container and compromise the host system.

MoxaManufacturing
No fixCVE-2026-31431+2 moreMPSA-263140May 26

CVE-2026-31431 (CopyFail), CVE-2026-43284, CVE-2026-43500 (DirtyFrag). CVSS 8.8, KEV-listed May 28. Active exploitation confirmed by Microsoft on May 8. An unprivileged local user can escalate to root on affected Moxa hardware. Full breakdown below.

Eppendorf BioFlo 320
Plan Patch

An attacker with network access to an affected BioFlo 320 bioreactor could gain complete control of the system, including ability to alter fermentation parameters, stop bioprocess operations, or access sensitive batch and research data stored on the bioreactor controller.

No fixCVE-2026-7251ICS-CERT ICSMA-26-146-01May 26

CVE-2026-7251, CVSS 9.8, Plan Patch. An attacker with network access can take full control of an Eppendorf BioFlo 320 bioreactor - alter fermentation parameters, stop bioprocess operations, or access batch data. Life sciences and biopharma environments should prioritize.

XCharge C6
Plan Patch

An attacker could gain administrator rights on the charging station and execute arbitrary code, potentially disrupting EV charging operations, manipulating billing data, or accessing sensitive information.

No fixCVE-2026-9037+2 moreICS-CERT ICSA-26-148-08May 28

CVE-2026-9037 through CVE-2026-9039, CVSS 9.8, Plan Patch. Three vulnerabilities in XCharge C6 EV charging stations allow an attacker to gain admin rights and execute arbitrary code. Review network access to EV charging infrastructure.

Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter
Plan Patch

An attacker with network access to the device could gain administrator access and run arbitrary commands, allowing them to intercept, modify, or block serial RS232/485 data to and from your PLCs, RTUs, or other control equipment.

No fixCVE-2026-7786ICS-CERT ICSA-26-148-02May 28

CVE-2026-7786, CVSS 9.8, Plan Patch. The PUSR USR-W610 is a serial RS-232/485-to-WiFi converter common in water, wastewater, and small manufacturing facilities. Network access gets an attacker administrator rights and arbitrary command execution - data to PLCs and RTUs is at risk.

ScadaBR
Plan Patch

An attacker can remotely run arbitrary commands on your ScadaBR system without authentication, potentially allowing them to alter monitoring data, change process settings, or disable alarms in your energy control systems.

Energy
Fix availableCVE-2026-8602+3 moreICS-CERT ICSA-26-139-03May 19

CVE-2026-8602 through CVE-2026-8605, CVSS 9.1, Plan Patch. Four CVEs in ScadaBR allow unauthenticated remote code execution on this open-source SCADA/HMI platform. Common in energy and smaller industrial facilities. Patch or isolate.

What the CopyFail and DirtyFrag chain actually does

Both vulnerabilities are local privilege escalation flaws - an attacker who already has a low-privileged account on a Linux system can use them to become root. That "already local" precondition sounds limiting. In OT environments, it is much less of a barrier than it sounds.

Moxa hardware sits at the OT/IT boundary. Their edge devices - cellular gateways, serial-to-IP converters, remote I/O units - run hardened Linux and manage RS-232/485 communications to PLCs and RTUs. They are also the devices most likely to have a vendor support account, a shared service credential, or a USB port that someone used during a site visit. Any of those gives an attacker the unprivileged foothold needed to trigger this chain.

CopyFail (CVE-2026-31431) was disclosed by researchers at Theori and Xint in late April 2026. A 732-byte Python proof-of-concept achieves root on unpatched systems. About a week later, researcher Hyunwoo Kim published DirtyFrag, targeting the IPsec ESP and rxrpc decryption paths. That proof-of-concept achieves root in a single command.

Microsoft's May 8 rapid-response post confirmed active exploitation in the wild, targeting DirtyFrag specifically. Elastic Security Labs published IOCs and detection rules the next day. The CISA ICS advisory for Moxa hardware came on May 28 - three weeks after confirmed active attacks.

Moxa is not the only exposure here. Any Linux-based industrial device running an unpatched kernel is potentially in scope: HMI terminals, historian servers, remote access gateways, industrial routers. The VicOne team documented the same risk in automotive OT contexts. If your fleet includes Linux-based devices from any vendor, check the kernel version against the CVE patch levels - not just the Moxa advisory.

For containerized environments - and some industrial gateways do use container isolation - DirtyFrag enables container escape, putting the host OS in scope even if an attacker only gained access to an isolated workload.

What to do this week

  1. Patch Moxa hardware covered by ICSA-26-148-08. Check otpulse.io/feed/e487dbee-ff16-4e22-9877-581b5eb8cd7e for affected models and the vendor's patched firmware versions.

  2. Audit shared and vendor accounts on Moxa devices. Remove any accounts that are not actively needed. Vendor remote access accounts that persist after a service visit are a common entry point for LPE chains like this one.

  3. Audit Linux kernel versions across your fleet. This is not just a Moxa problem. Any industrial Linux device running kernel versions below the CopyFail and DirtyFrag patch levels is exposed. Build a list of kernel versions across your edge hardware and historians, then cross-reference against the CVE advisories.

  4. Apply Elastic detection rules if you have endpoint visibility on Linux assets. The Elastic Security Labs analysis published IOCs and detection guidance on May 9. If you have any Linux endpoint visibility in your environment, use them.

  5. For the PUSR USR-W610 advisory (CVE-2026-7786): if you cannot patch immediately, take the device off the network or restrict access to the engineering VLAN only. A serial converter that allows arbitrary command execution should not be reachable from a corporate segment.

Industry Intel

Reports & Research

Dragos: AI-Assisted ICS Attack on Mexican Water Utility

In December 2025 through February 2026, attackers targeted water infrastructure in the Monterrey metropolitan area using commercial LLMs - specifically Anthropic Claude and OpenAI GPT models - as a planning and execution tool. Dragos published their analysis on May 6. This is the first documented case of commercial AI being used in a confirmed OT-targeting campaign. The Gambit Security companion report covers the attribution side.

Read more
Darktrace: AI Adoption Creating Vulnerabilities on the Factory Floor

Published May 28. Darktrace surveyed manufacturing security professionals and found 78% worried about employee use of AI agents. The concern is not AI-generated malware - it is AI-driven automation expanding the OT attack surface in ways existing visibility tools do not cover.

Read more
SANS 2026 Cybersecurity Readiness in Government Survey

Published May 26. Budget pressure, staffing gaps, and legacy infrastructure slowing modernization - findings that map directly onto what most municipal OT operators are navigating. Not OT-specific, but the audience overlap is high enough to be worth a read.

Read more

Incidents

Gambit Security: Iran-Linked Black Shadow Destructive Campaign

Published May 29. Gambit Security analysts Eyal Sela and Nir Varon attribute destructive cyber campaign activity to the Iran-linked Black Shadow group (Ababil/Minab Tech). Targets span US and Middle East organizations. Primary-source technical reporting on current Iranian destructive capability.

Read more

Events & Conferences

SANS ICS Security Summit and Training 2026 - happening this week

Carryover from the May 18 briefing - now imminent. June 8-16, Lake Buena Vista, FL. Two-day summit plus a week of hands-on training covering ICS threat detection and incident response for critical infrastructure. The summit portion starts June 8.

Read more
ISA OT Cybersecurity Summit 2026 - coming up

Carryover from the May 18 briefing. June 18-19, Prague, Czech Republic. Two tracks: threat intelligence and supply chain security; cyber-physical safety risk management. ISA's fourth annual OT cybersecurity summit.

Read more

Community

Claroty Launches Claire, a CPS-Native AI Security Agent

Announced May 28. Claroty's Claire is a security agent built on language models trained on industrial cybersecurity data, designed for OT/CPS visibility and threat response. Worth watching as the broader OT security vendor space moves toward AI-native tooling.

Read more
SANS ISC: Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs

Published May 27. The SANS Internet Storm Center walks through an Akira ransomware kill chain reconstructed from perimeter and endpoint logs. Akira is actively targeting industrial organizations. If your IR team uses SANS ISC diaries for threat intel, this one is worth the read.

Read more
Waterfall Security: 3 OT Security Myths

Published May 10. Short Waterfall blog debunking common OT security misconceptions. Good to forward to someone new to OT security responsibilities, or to use as a conversation starter with IT colleagues who assume IT security practices apply directly to OT.

Read more

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

← Browse all briefings

Built for the people who protect operational technology. hello@otpulse.io