Threat research, product updates, and industry insights
The Exposure That Predates the Headlines Recent advisories and reporting have highlighted cyber activity targeting internet-facing Operational Technology devices, particularly Rockwell Automation and Allen-Bradley PLCs such as CompatLogix and Micro850 models. While media coverage tends to focus on who may be behind these campaigns, the more important question for industrial organizations is: why are these… Read more
Most security programs assume they know what's in their environment. The data disagrees: 83% of organizations identify OT visibility gaps as a direct risk contributor. Discovery is the continuous process of identifying assets, mapping communications, and understanding the dependencies that keep operations running. You cannot protect what you cannot see.
Introduction When geopolitical tensions rise, critical infrastructure becomes an obvious target. As key nodes in global trade, ports handle the flow of goods that economies depend on. A successful cyberattack does not just disrupt operations at a single facility; it can delay imports and exports across interconnected supply chains, trigger economic losses, and erode the… Read more
By: Austen Byers, Technical Director, TXOne Networks In nearly every OT security incident I’ve been pulled into, there’s a reoccurring moment in all of them. Someone saw it…. An alert fired…. A detection platform did exactly what it was supposed to do…. And then everything slowed down or stopped completely. By the time enforcement caught… Read more
A critical authentication bypass (CVE-2026-24061) enables unauthenticated root access on GNU inetutils telnetd. Three attack waves began January 22, 2026, progressing from reconnaissance to active weaponization.
By: Chizuru Toyama, TXOne Threat Research Introduction In March 2024, the security community was alerted to ShadowRay—the first major campaign targeting AI workloads by exploiting CVE-2023-48022. This vulnerability stems from a missing authentication flaw in the Ray Jobs API, allowing unauthenticated attackers to execute arbitrary code across distributed AI clusters. Though the initial ShadowRay campaign… Read more
The real problem isn't what you can see. It's what you can't stop. Your detection tools are working perfectly—yet ransomware still causes operational shutdowns despite successful detection.
Abstract The Health Level 7 (HL7) communication protocol was created to effectively and rapidly share Electronic Health Information (EHI). This standard has been widely used in the medical industry for decades, undergoing continuous development which has produced multiple transmission formats. While HL7 enables efficient medical information sharing, its reliance on outdated communication formats has incurred… Read more
Author: Chizuru Toyama, TXOne Threat Research Overview WordPress powers a significant portion of the web, and its plugin ecosystem is both a strength and a vulnerability. Upload-handling plugins are persistently targeted because any weakness in file validation gives attackers a direct path to remote code execution. Our telemetry has revealed consistent and periodic exploitation… Read more
Introduction International aviation relies on systems built for reliability in closed networks, not for threat resistance in interconnected environments. A compromised air traffic control system doesn’t just delay flights; it necessitates manual routing, reduces capacity, and can ground entire regions until the threat is cleared. The sector now faces threats its legacy foundations were never… Read more
Introduction Here’s a scenario you might find upsettingly familiar: you’ve got a workstation that’s been functioning reliably for years, managing a critical production line. The system runs custom software that talks to controllers through industrial protocols, and everyone knows not to touch it. Any attempt to update the OS or patch the software runs the… Read more
Author: Chizuru Toyama, TXOne Threat Research Overview In September, our IoT/ICS Threat Intelligence Platform captured live exploit attempts targeting three distinct vulnerabilities. These CVEs span consumer networking, AI tooling, and enterprise testing platforms — and all share one surprising trait: low EPSS scores. This reinforces a critical message: EPSS is a useful prioritization tool, but it should never be the sole… Read more
The Importance of a Proactive Supply Chain Cybersecurity Strategy The implications of a supply chain cyberattack can be widespread and devastating for the victimized company. These might include operational issues such as component or material shortfalls, production downtime, and delayed shipments. And that can just be the beginning. Supply chains are hugely interdependent, and an… Read more
TXOne Networks wishes to thank the following security researchers for their participation in our vulnerability disclosure program. Researcher Vulnerability Date cmj <cmj@cmj.tw> pf <jampf510@gmail.com> SQL Injection April 15, 2021 Kunal Mhaske <LinkedIn> The researcher has requested that this vulnerability remain undisclosed. July 29, 2024 Gaurang maheta <LinkedIn> Email Abuse September 9, 2024 M Tayyab Iqbal <thinksoftwaresolutions> HTML… Read more
The 2025 SANS ICS/OT Cybersecurity Budget Report highlights a troubling reality: USB devices and contractor laptops remain among the leading causes of industrial security incidents. Despite years of awareness, investment still lags behind the risk. This article explores why the gap persists and what it means for organizations today. https://digital.txone.com/media/the-ot-threat-that-walks-through-the-door/
The Strategic Imperative of Water and Wastewater Systems (WWS) Responsible for everything from potable water to wastewater sanitation, the Water and Wastewater Systems (WWS) sector operates behind the scenes to uphold the function of our modern society. The WWS sector is so critical that any interruption of the service would have a devastating impact on… Read more
Author: Chizuru Toyama, TXOne Threat Research Overview This report presents telemetry data collected by our IoT/ICS Threat Intelligence platform concerning exploitation attempts targeting two critical vulnerabilities in SAP’s MetadataUploader service: CVE-2025-31324 and CVE-2025-42999. CVE-2025-31324 is an unauthenticated file upload vulnerability affecting the /developmentserver/metadatauploader endpoint. It enables remote attackers to upload malicious files—such as web shells—without authentication. CVE-2025-42999 is an insecure deserialization… Read more
Author: Chizuru Toyama, TXOne Threat Research Background In modern healthcare, PACS (Picture Archiving and Communication System) servers are pivotal—they facilitate the storage, retrieval, and transmission of medical images across healthcare facilities, supporting patient diagnosis and treatment. Any disruption or compromise in PACS infrastructure can imperil patient privacy, workflow continuity, and overall care integrity. CISA… Read more
The Real OT Security Challenge If you run industrial operations, you’ve probably felt it: the flood of alerts that don’t specify what’s urgent, the risk of downtime if you touch fragile systems, and the growing pressure to demonstrate compliance. For OT teams, security isn’t just a luxury; it’s a delicate balance between maintaining production and… Read more
Introduction CVE-2025-32433 is a critical unauthenticated remote code execution (RCE) vulnerability in the Erlang/OTP SSH daemon. The flaw allows attackers to send SSH_MSG_CHANNEL_REQUEST messages before authentication, leading to arbitrary code execution on vulnerable hosts. Multiple campaigns have been observed actively targeting exposed Erlang/OTP services since proof-of-concept exploits became public in April 2025. Our IoT/ICS intelligence… Read more
What Differentiates Public Transport From Other OT Technology An Attack on Public Transport Is an Attack on the Public When a cyberattack hits any sector of critical infrastructure, it can directly impact the public by rendering water undrinkable, shutting off the electricity, and otherwise disrupting people’s lives. But when it comes to public transit, the… Read more
What is OT? Operational Technology (OT) cybersecurity is key to protecting factories, power grids, and water systems from cyber threats. While IT focuses on data, OT cybersecurity ensures that the physical processes behind critical infrastructure, manufacturing, energy, and utilities are safe and reliable. This guide looks at what makes OT security unique. It explains why… Read more
Overview UNC3886 is a state-sponsored advanced persistent threat (APT) group first identified by Mandiant in 2022. Believed to be linked to China, UNC3886 has been active since at least 2021, conducting highly targeted cyber espionage operations against critical infrastructure and virtualized environments worldwide—with a strategic focus on Asia and North America. Targeted Sectors and… Read more
Introduction From the moment it emerged, ransomware has been a thorn in the side of organizations. But with the rise of ransomware-as-a-service and the growing convergence between IT and OT, that thorn has evolved into something far more dangerous—sharper, faster, and backed by a thriving criminal business model. Now that governments are moving to ban… Read more
Closing the Gap Between Legacy Systems and Modern Cyber Threats Rail systems are built to keep moving safely, predictably, and without interruption. That’s exactly what makes them so vulnerable. The Operational Technology (OT) environments found in rail systems were designed for service continuity and physical safety, not for the kinds of sophisticated cyber threats they… Read more
Introduction Since 2024, the number of ransomware attacks targeting the food and agriculture sector has been increasing. Some gangs are focusing on OT environments in particular, which makes ransomware a major threat that cannot be ignored. As these groups’ strategies against the food and agriculture sector continue to evolve, the TXOne Networks threat research team… Read more
Background In April 2025, the National Security Agency (NSA) released their report, Operational Technology Assurance Partnership (OTAP): Smart Controller Security within National Security Systems, to address the lack of formal testing and conformance standards for smart controllers. These are embedded devices in OT environments that automate physical processes and connect to networks. While they improve… Read more
Introduction In the race toward digital transformation, one persistent challenge continues to jeopardize progress—legacy systems in OT environments. These aging assets, often built more than a decade ago, were designed for reliability and uptime—not cyber resilience. In 2025, their presence still looms large, particularly in industries where safety, availability, and continuous operation are non-negotiable. TXOne… Read more
Author: Chizuru Toyama, TXOne Research Background Modern healthcare relies heavily on digital technology to streamline workflows and enhance patient care. One critical component in this digital ecosystem is the Picture Archiving and Communication System (PACS). PACS is a networked system used to electronically store, retrieve, manage, and share medical images. It replaces traditional film-based… Read more
Introduction: The Hidden Threat in the Supply Chain Supply chains have always carried an unavoidable level of unease. No matter how tight your perimeter is, there’s a nonzero chance that something introduced from a trusted partner might be compromised and subsequently end up compromising you. Volt Typhoon more than justifies that unease. Publicly identified by… Read more
Introduction The Cyber Resilience Act (CRA) entered into force on 10 December 2024. While its main tenets will not apply until 11 December 2027, the reporting requirements will take effect earlier, starting on 11 September 2026. Though the CRA introduces mandatory cybersecurity requirements for both manufacturers and retailers, this blog will specifically address manufacturers and… Read more
RansomHub operates like a well-oiled machine, recruiting affiliates (the cybercriminals that do the dirty work of launching attacks) and providing them with their ransomware payloads for both Linux and Windows endpoints. Their true innovation, however, lies in their multi-level access intended to attract various levels of cybercriminals, ranging from low-skilled newer entrants to the scene… Read more
Introduction Cyberattacks on the food and beverage (F&B) manufacturing sector have surged, mirroring trends seen across industrial control systems (ICS) and critical infrastructure. In recent years, F&B processors around the world have faced an array of cyber threats – from ransomware crippling production lines to hackers breaching industrial controls in ways that could threaten consumer… Read more
What is Virtual Patching? Virtual patching is a vulnerability-shielding tactic that protects assets by implementing layers of security policies and rules. These layered security measures prevent and intercept an exploit from taking network paths to and from a vulnerability. Virtual patching acts as an effective safety measure against threats that exploit known and unknown vulnerabilities… Read more
By Dan Cartmill, Senior Director Global Product Marketing | TXOne Networks TXOne’s prevention-first approach to industrial cybersecurity receives validation in the first-ever Gartner evaluation of CPS security platforms. We are proud to announce that TXOne Networks has been recognized in the inaugural Gartner Magic Quadrant for Cyber-Physical Systems Protection Platforms, 2025. This milestone represents… Read more
Author: Ta-Lun Yen, TXOne Research Recently, a botnet cheekily named “Hail Cock” has been spotted by Akamai SIRT, using one of two bugs I discovered a while ago. I am publishing this blog post as this bug has since been exploited in the wild, despite it having been found and reported back in July 2023.… Read more
In our previous episode, we covered a series of attacks that bypass firewall/routing rules on multiple SSL VPNs. In this article, we will dive deeper into the vulnerability details and explore how SSL VPN works in general. Lastly, we will provide our open-source tools for deeper investigation into SSL VPN tunneling protocols. Anatomy of… Read more
Introduction to NERC CIP The NERC Critical Infrastructure Protection (CIP), currently in its fifth iteration, is a mandatory standard that covers access control, personnel safety, physical security, network security incident response, and disaster recovery for large-scale power systems. These systems are part of the Bulk Electric System (BES), typically operating at 100 kV or higher… Read more
Introduction The automotive industry is undergoing a rapid digital transformation driven by the integration of advanced technologies. According to Rockwell’s 2024 report “State of Smart Manufacturing: Automotive Edition,” at least 81% of respondents have adopted or plan to adopt network hardware, industrial computers, and connected devices such as sensors and actuators. Additionally, in recent years,… Read more
Introduction Innovation in new drugs, treatments, and therapies is crucial. Consequently, research and development (R&D) data has become a high-value target for cybercriminals. The most representative example is the rollout of COVID-19 vaccines and other breakthroughs in life sciences, which significantly increased the risks of cyberattack faced by the pharmaceutical industry. Attackers may attempt to… Read more
Introduction Since 2015, ransomware attacks have become a significant threat that organizations and enterprises cannot afford to ignore, especially as critical infrastructure sectors (CI) increasingly embrace digitalization. Due to IT and OT convergence, even OT environments have become targets for ransomware groups. In 2023, ransomware attacks were the most frequent incidents faced by OT environments,… Read more
Companies in the food industry are seen as some of the most vulnerable potential victims of cyberattacks. This is due to a combination of legacy systems and modern technology being used throughout the supply chain, along with an absence of robust, industry-wide cybersecurity practices. In many cases, investment into cybersecurity measures is hard to justify… Read more
Introduction Since September 2020, there have been several global supply chain attacks such as SolarWinds, Kaseya, NPM IconBurst, and Cyber Av3ngers Unitronics. Many of these incidents involved nation-state actors and resulted in significant disruptions and failures. In this threat landscape, the Department of Defense and critical infrastructure sectors have frequently and repeatedly come under attack,… Read more
Automation technologies are widely used in critical infrastructures to ensure continuous operation. Beyond productivity, cost, and accuracy, risk reduction is also a significant benefit. In the past, cybersecurity was not a major topic of discussion in these environments. This was largely because automated processes typically operated in isolated environments, separated from the Internet where attacks… Read more
Background Modern healthcare institutions use digital technology to manage patient information, nursing services, medical testing, and even assist in medical surgeries. It is now common for medical staff to rely on IT and OT systems. However, any cyberattack on these IT or OT systems, essential for the daily operations of healthcare institutions, can affect the… Read more
Cybersecurity in the food supply chain has become a major concern amid increasing attacks on companies like Dole, Mondelez, and Sysco. The food industry is one of the most important in the world, with any supply chain disruptions causing widespread harm, panic, and concerns about public safety. This risk has only increased with more technology… Read more
Introduction It’s not an unusual plotline for Hollywood movies—our intrepid protagonists need to stop and hijack a train carrying high-value national organization or military assets and the audience is treated to an action scene of them carrying this out. It may sound fantastic, but such scenarios occur in real life too. Nation-state APT groups are… Read more
Introduction Within Operational Technology (OT) environments, legacy Windows systems remain a critical part of the infrastructure, presenting unique security challenges. For the purposes of this article, legacy Windows systems refer to those systems no longer receiving updates, patches, or direct support from the developer during their product lifecycle. Despite advancements in technology and the availability… Read more
The food and agriculture industry faced over 160 cyberattacks in 2023, causing supply chain disruptions worldwide. The food manufacturing industry is the seventh most attacked globally; the only reason this industry isn’t higher on the list is due to law enforcement intervention in 2023, intervention that led to crackdowns on some of the biggest ransomware… Read more
Understanding the SECS/GEM Protocol Semiconductors are an indispensable part of modern electronic products and are also a fundamental basis for the development of the AI industry. This industry is crucial for global economic growth, national security, and national . As the semiconductor industry transitions to Industry 4.0, the connection between production equipment and factory networks… Read more
Introduction According to recent cybersecurity media reports, a new destructive ICS malware named Fuxnet has been discovered. This incident is allegedly linked to the Blackjack hacker group, which is associated with Ukrainian security agencies. It involved a major attack on Moscollector, a Moscow-based company responsible for managing critical infrastructure such as water supply, sewage treatment,… Read more
Introduction In recent years, the frequency and success of exploits targeting firewall vulnerabilities have been alarmingly high. A notable incident in 2024 involved the disclosure of five consecutive zero-day vulnerabilities in Ivanti Connect Secure, with some vulnerabilities being actively exploited to enable unauthorized remote code execution on affected devices, and even weaponized by nation-state actors.… Read more
The Imperative of Cybersecurity for Machine Builders Understanding the Regulation (EU) 2023/1230 On June 29, 2023, the European Parliament and the Council of the European Union announced Regulation (EU) 2023/1230, which will replace the existing Machinery Directive 2006/42/EC. This updated regulation revises the product scope and conformity assessment procedures originally covered by Directive 2006/42/EC. Products… Read more
The Importance of HMI Security in OT Environments HMIs (Human Machine Interfaces) can be broadly defined as just about anything that allows humans to interface with their machines, and so are found throughout the technical world. In OT environments, operators use various HMIs to interact with industrial control systems in order to direct and monitor… Read more
PLCs Can Leave OT Networks Vulnerable to Attack In today’s OT threat environment, PLCs — Programmable Logic Controllers — have become one more attack surface for threat actors looking for easy entry points to industrial facilities. PLCs are inviting targets for a number of reasons, including the fact that many have been in service for… Read more
Introduction The automotive industry has long attracted cyber threat groups due to its expansive reach, encompassing vehicle manufacturing technologies and critical operational infrastructures. As one of the largest global industries, the automotive sector offers cybercriminals lucrative opportunities for espionage and financial gain. Our analysis, drawing on public sources from January 2023 to February 2024, identified… Read more
Vulnerability Background SSL VPN (Secure Sockets Layer Virtual Private Network) is an essential technology for enterprises, allowing users to securely connect to internal networks over insecure networks such as the internet. This is crucial for maintaining cybersecurity as it enables employees to work from home or remotely. However, despite the security features SSL VPN… Read more
Cybolt is a “pure-play” cybersecurity firm and a TXOne Certified Partner that provides a broad range of cybersecurity services to clients throughout the Americas and is now expanding into European markets. Cybolt’s purpose is to “Identify, prevent, and neutralize risks to create spaces of trust.” “We provide managed security services as well as deskside services… Read more
Introduction In 2023, the cybersecurity challenges in the Operational Technology (OT) and Industrial Control Systems (ICS) landscape reached unprecedented levels. Ransomware, increasingly prevalent through new Ransomware-as-a-Service (RaaS) models, became a widespread and costly headache. While some might argue this exaggerates the risk, the growing demand for defenses is not overstated. 2024 continues to be a… Read more
This article was originally published on SDM Magazine on Feb 28, 2024, written by Dr. Terence Liu, CEO of TXOne Networks. Cybersecurity challenges in the operational technology (OT) and industrial control system (ICS) domains achieved unprecedented levels in 2023. Ransomware — sometimes via new ransomware-as-a-service (RaaS) models — grew to be an increasingly prevalent… Read more
This article was originally published on Manufacturing.net on Feb 29, 2024, written by Dr. Terence Liu, CEO of TXOne Networks. The current imbalance of OT/ICS regulations heightens risks for the entire sector. A lack of uniform mandatory regulations has led to dramatic disparities in cybersecurity practices across different industrial sectors. This discrepancy is especially… Read more
Kutoa is a newly formed company whose purpose is to help clients with cyber-physical environments “build cybersecurity capacity”, as explained by Dave Cullen, one of their four founding partners. “Our approach is that we don’t have only ‘an OT environment to secure’, but rather, ‘a connected organization to serve.’” While they officially launched in January… Read more
Introduction The semiconductor industry, pivotal to technological advancement in the current digital transformation era, cannot afford to overlook its cybersecurity. A minor security lapse could lead to substantial losses, especially in this sector. To address this, SEMI has introduced two key standards: SEMI E187 and E188. These standards aim to enhance the cybersecurity of semiconductor… Read more
Jacob Marzloff is the co-founder and president of Armexa, an OT/ICS cybersecurity firm based in Houston, Texas, and a TXOne Certified Partner. Jacob grew up in southern Louisiana, where the oil, gas, and chemical industries are part of the landscape. He spent a lot of time around the plants, working different jobs and gathering irreplaceable… Read more
