OTPulse
/briefings
RoundupApril 7, 20265 min read

OTPulse Weekly - April 7, 2026

Jerrid Brown·OTPulse

ABB 800xA contains an actively exploited 7-Zip CVE. WAGO had a rough week with two critical advisories covering 45 CVEs across their engineering toolchain. All five advisories this week are Act Now.

This week in OT security

The lead story this week is ABB's 800xA advisory, which sits at the top of the list for one very specific reason: it contains CVE-2025-0411, a 7-Zip vulnerability already on CISA's Known Exploited Vulnerabilities list. Russian cybercrime groups used this flaw as a zero-day in late 2024 to deliver SmokeLoader malware via spear-phishing campaigns against Ukrainian organizations. The fix here is unusually clean - ABB says you can simply uninstall the affected 7-Zip and Azure Data Studio components from your 800xA installation without impacting normal operation. If you run 800xA in power generation, water, or process environments, this one warrants attention this week, not next maintenance window.

Beyond ABB, WAGO had a rough week. Two separate advisories landed covering WAGO Solution Builder, Device Sphere, and VC Hub, all rated critical. The VC Hub advisory alone carries 45 CVEs. These are engineering and visualization tools, so the attack surface is less about field devices and more about the people configuring them.

Top 5 advisories to act on

  1. ABB System 800xA - 7-Zip and Azure Data Studio components | Act Now | CVE-2025-0411 is actively exploited in the wild. Uninstall the bundled 7-Zip and Azure Data Studio from your 800xA host - ABB confirms neither is required for system operation.

  2. WAGO Solution Builder and Device Sphere | Act Now | CVSS 9.9 with a public PoC. An authenticated attacker could escalate privileges and modify control logic or operational configurations across multiple WAGO devices.

  3. PX4 Autopilot | Act Now | CVSS 9.8 remote code execution via the MAVLink interface. Relevant if you operate autonomous vehicles or drones in industrial or infrastructure settings.

  4. WAGO VC Hub | Act Now | CVSS 9.8, 45 CVEs covering ImageMagick flaws. A user with design permissions could upload a malicious image, execute arbitrary code on the VC Hub, and pivot into connected industrial networks.

  5. Anritsu Remote Spectrum Monitor | Act Now | CVSS 9.8 with network-accessible attack surface. An attacker could alter measurement configurations or disable the device entirely.

One deeper read

All five advisories this week are Act Now tier - a clean sweep that does not happen often. The ABB 800xA case is worth looking at in detail because it illustrates something common in OT environments: vulnerabilities in bundled third-party components that vendors do not always surface in their own patching guidance. Check out the latest OTPulse briefing on the axios supply chain attack for a recent example of how this same pattern plays out in software dependencies, and why the third-party component inventory on your OT hosts matters.

Industry Intel

Reports & Research

Dragos 2026 OT Cybersecurity Year in Review

Dragos tracked 119 ransomware groups hitting 3,300+ industrial organizations in 2025, nearly double 2024's count. Three new threat groups were identified targeting critical infrastructure globally. The number that should follow you into your next budget conversation: fewer than 10% of OT networks have any active visibility or monitoring in place.

Read more
TXOne Networks 2026 Annual OT/ICS Cybersecurity Report

A global survey of 200 C-level OT security decision-makers found 96% of OT incidents originate from IT-level compromises, 60% of organizations experienced an incident in 2025, and 88% increased OT security spending by more than 10% this year. If you are building a business case for budget, this survey data translates directly into executive-level language.

Read more
Waterfall Threat Report 2026

Ransomware frequency against OT appears to be slowing - but the Waterfall analysis argues this masks a more concerning shift: nation-state actors are moving from pre-positioning to active, direct attacks on critical infrastructure OT. The accompanying webinar is worth registering for if you brief leadership on threat trends.

Read more

Incidents

80K Stryker devices wiped in Iran-attributed attack

Attackers attributed to Iran wiped approximately 80,000 Stryker operational devices in a destructive attack. The scale here is notable - this is not ransomware with a negotiation phase, this is wiper-style destruction at industrial scale.

Read more
Water facility ransomware attack

A water facility was among this week's ransomware victims, per SecurityWeek's weekly roundup. No facility name or attribution has been disclosed publicly. For those of you in water and wastewater, this is a reminder that your sector remains actively targeted.

Read more
TeamPCP supply chain campaign: European Commission confirmed

CERT-EU confirmed the European Commission was among the victims of the ongoing TeamPCP supply chain attack. Mandiant has now quantified the total scope at 1,000+ SaaS environments. SANS ISC is tracking updates actively.

Read more

Regulatory & Standards

Australia consults on faster government intervention powers

The Australian government is opening industry consultation on legislative reforms that would expand government authority to intervene directly during critical infrastructure attacks. If you operate in Australia or advise organizations that do, the consultation window is open now.

Read more

Events & Conferences

ISA OT Cybersecurity Summit - Prague, June 16-18, 2026

ISA's fourth annual OT Cybersecurity Summit has its full program released. Early-bird registration closes April 17. The conference is organized around the ISA/IEC 62443 standards community, which makes it more practitioner-focused than most.

Read more

Community

ETHOS: the first open-source OT threat intel sharing organization

Claroty, Dragos, Forescout, Nozomi, Schneider Electric, Tenable, and Waterfall Security announced ETHOS, a vendor-neutral initiative for early-warning threat intelligence sharing across critical infrastructure. This is the first effort of its kind in the OT space. Worth watching if collective defense is part of how you think about sector-level risk.

Read more
Waterfall: 8.5 questions for your OT remote access vendors

A practitioner-facing checklist for evaluating OT remote access vendors - useful if you are currently assessing or renewing a remote access contract. Pair it with their companion webinar on 13 ways attackers break "secure" OT remote access systems.

Read more

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

← Browse all briefings

Built for the people who protect operational technology. hello@otpulse.io