OTPulse Bi-Weekly Briefing - June 29, 2026

The headline from the past month is Handala's confirmed breach of California Water Service, which broke on June 11. The Iran-linked group released a 5 GB proof-of-concept dump confirming two things: a customer billing database and, more notable for OT practitioners, administrative credentials for an RTKBase deployment - an open-source GNSS correction platform used by Cal Water field crews across seven operational districts. No water operations were disrupted. Cal Water confirmed that in a June 17 statement, and the expert consensus across multiple security firms is that Handala's claim to be able to "shut off water in US cities" is psychological warfare, not demonstrated capability.

The second thread: this is the second Cisco Catalyst SD-WAN KEV in as many months. The May 18 briefing covered CVE-2026-20182 (CVSS 10.0, no authentication required, actively exploited by UAT-8616). This period added CVE-2026-20262 to the KEV catalog on June 9 - a different file-write vulnerability on the same platform, this one requiring low-privilege authentication. If you applied the May patch, verify it covers this CVE too before marking SD-WAN remediation complete.

1. Cisco Catalyst SD-WAN Manager - Arbitrary File Write (CVE-2026-20262) | Act Now | KEV-listed June 9. A low-privilege authenticated user can write or overwrite any file on SD-WAN Manager, enabling root-level control of the device and its managed WAN fabric. This is a separate CVE from the May 18 briefing's CVE-2026-20182 - same platform, different attack path. Verify your May patch also addresses this one. Check the Cisco advisory update history before closing your remediation ticket.

2. ABB Ability Edgenius Gateway/Server - CopyFail LPE (CVE-2026-31431) | Act Now | The CopyFail kernel chain from the June 1 Moxa briefing (ICSA-26-148-08) is now confirmed on ABB Edgenius hardware. KEV-listed, EPSS 96.78%. If you have Edgenius gateways in your environment, treat this the same as the Moxa advisory: root access on an Edgenius puts OT telemetry, field device connectivity, and ABB Ability cloud linkage in attacker hands. Patch now.

3. Rockwell FLEX I/O EtherNet/IP Adapters (CVE-2026-0646, CVE-2026-0647) | Plan Patch | Two vulnerabilities in 1794-AENTR V2.012 and 1794-AENTRXT V2.012 adapters. CVE-2026-0647 (CVSS 9.4) allows an unauthenticated attacker to change the web interface password via a crafted HTTP GET request, locking legitimate operators out of the adapter. CVE-2026-0646 can fault the adapter and drop its connection to associated I/O modules, requiring manual reset. CISA published ICSA-26-167-05 on June 16. Firmware 2.013 addresses both. No KEV, no observed exploitation, but any FLEX I/O adapter reachable from beyond its dedicated I/O network is a real exposure.

4. AVer PTC Cameras - Unauthenticated RCE (CVE-2026-40624) | Plan Patch | CVSS 9.8. AVer cameras are used for physical security monitoring at industrial and utility facilities - perimeter surveillance, access control, process observation. Unauthenticated RCE means an attacker can pivot from the camera to the management VLAN. Same attack surface as the Milesight camera advisory from April, different vendor. No KEV, no public PoC, but CVSS 9.8 on a physical-security device at an industrial site deserves attention.

5. NAXCLOW Smart Doorbells/Cameras (CVE-2026-28742) | Monitor | CISA flagged a hard-coded cryptographic salt in NAXCLOW smart devices that lets an attacker forge valid requests across every device from that vendor. No patch is available - the vendor did not respond to CISA's disclosure. The remediation is isolation or replacement. If you have commodity IoT devices at facility entrances or equipment room access points and you do not know whether the vendor supports security disclosures, this is a useful reminder to find out.

Most coverage of the Cal Water breach focused on the billing data and Handala's threat claims. The detail that got less attention was RTKBase.

RTKBase is an open-source GNSS correction server platform. Water utilities use it to give field crews centimeter-accurate GPS positioning during infrastructure maintenance, pipeline inspection, and mapping. Cal Water's RTKBase deployment served seven districts: Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo, and a regional engineering segment. Handala released administrative credentials for RTKBase and at least one NTRIP source endpoint.

That is OT-adjacent infrastructure. It does not sit on the OT network. It does not control valves or pumps. But credentials for a system that feeds positioning data to physical field operations land in a different category than a customer billing database. Nozomi's June 18 analysis is the best primary technical breakdown - they named the specific systems involved and correctly assessed that Handala reached this infrastructure through internet-exposed IT systems, not by breaching OT segmentation.

The segmentation held. That is the practical lesson here. Handala got into billing and GPS correction infrastructure. The operational network was isolated enough that no water operations were affected. The incident is evidence that segmentation works as a real defensive control, not just a compliance box to check. It also validates the attack path: IT systems exposed to the internet are how groups like Handala get close to utility infrastructure, even when they never touch the OT layer.

If you are running a water utility and you have not audited which of your IT systems are internet-facing - including things like field operations support platforms, GNSS correction servers, GIS tools - now is the time.

Patch CVE-2026-20262 on Cisco SD-WAN Manager and verify it is distinct from your May patch cycle. If you have ABB Edgenius hardware, treat the CopyFail advisory with the same urgency as the Moxa advisory from June 1 - same chain, same risk. For Rockwell FLEX I/O, check whether your 1794-AENTR adapters are on firmware 2.013; if not, prioritize based on whether those adapters are reachable from segments beyond the dedicated I/O network.

For the broader Cal Water lesson: pull a list of your internet-facing systems. That list should include everything in the IT envelope - not just the obvious ones. GNSS correction servers, historian web interfaces, HMI remote access portals, GIS platforms, and field operations tools all qualify. Handala found RTKBase because it was there and reachable.