ICS Patch Tuesday: Siemens, Schneider Electric, Rockwell and Five More Vendors Ship Critical Fixes

Introduction

Eight major industrial control system vendors released coordinated security advisories on April 15, 2026 as part of the monthly ICS Patch Tuesday cycle. Siemens alone published nine advisories covering authentication bypasses, privilege escalation, and remote code execution across its product lines. Rockwell Automation issued an urgent notice telling customers to disconnect programmable logic controllers from the internet immediately.

What Happened

Siemens led the pack with nine new advisories. The most critical is a high-severity authentication and authorization bypass in SINEC NMS (CVE-2026-25654, CVSS 8.8), the company's network management platform. An authenticated attacker can exploit the flaw to bypass authorization checks and reset arbitrary user passwords — effectively taking over administrative accounts. Other Siemens fixes address privilege escalation and code execution in Ruggedcom Crossbow, authorization circumvent issues in Industrial Edge Management, and critical Wi-Fi vulnerabilities in Scalance W-700 wireless access points used in factory floor and harsh-environment deployments.

Schneider Electric published three advisories covering a BlastRadius vulnerability impact on Modicon Networking Managed Switches, medium-severity flaws in PowerChute Serial Shutdown UPS management software, and vulnerabilities in Easergy MiCOM Px40 protection relays used in electrical substation automation.

Rockwell Automation went beyond a standard patch notice by publishing an urgent advisory telling customers to disconnect all internet-facing PLCs immediately. The notice is believed to be connected to the ongoing Iran-linked campaign targeting internet-exposed operational technology across U.S. critical infrastructure, which CISA and the FBI have been tracking.

ABB issued four advisories addressing third-party component vulnerabilities in Ability Camera Connect, Ability Symphony, and System 800xA products, plus a denial-of-service flaw in the System 800xA and Symphony Plus IEC 61850 communication stack used in substation automation and power distribution.

Phoenix Contact patched multiple flaws in FL Switch managed switch products.

Mitsubishi Electric, Aveva, and Moxa also published advisories rounding out the eight-vendor total, though details on those were less severe.

Why It Matters

ICS and OT environments are notoriously slow to patch. Many run legacy firmware, operate on flat networks, and lack the testing infrastructure to validate updates before deployment. The Siemens SINEC NMS flaw is especially concerning — network management platforms are high-value targets because compromising one gives an attacker visibility and control over every managed device. The Rockwell "disconnect now" advisory signals that active threat actor campaigns are making the jump from IT reconnaissance to OT targeting.

The convergence of IT Patch Tuesday (Microsoft's 167-CVE drop) and ICS Patch Tuesday on the same day means operational teams are facing a massive patching load simultaneously across both their IT and OT estates.

Who Is Affected

• Organizations running Siemens SINEC NMS (all versions before V4.0 SP3)
• Facilities using Siemens Scalance W-700 wireless access points or Ruggedcom Crossbow
• Schneider Electric customers with Modicon switches, PowerChute UPS software, or Easergy protection relays
• Any Rockwell Automation customer with PLCs accessible from the internet
• ABB System 800xA and Symphony Plus operators
• Utilities, manufacturing plants, water treatment, energy, and transportation infrastructure operators

How to Protect Yourself

For Siemens SINEC NMS — upgrade to V4.0 SP3 or later. Until patched, restrict network access to the NMS web interface to trusted management VLANs only:

# Example: iptables rule on the NMS host to restrict web access
iptables -A INPUT -p tcp --dport 443 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

For Rockwell PLCs — follow Rockwell's directive and disconnect any PLC with a public IP immediately. Audit your asset inventory for devices with routes to the internet:

nmap -sn 10.0.0.0/8 --open -p 44818 -oG - | grep "open"

Port 44818 is the default EtherNet/IP port for Rockwell controllers. Any device responding on this port that is reachable from outside your OT network needs immediate isolation.

For Schneider Modicon switches — apply the firmware update referenced in Schneider advisory SEVD-2026-105-01 and verify switches are segmented from IT networks.

General OT hygiene:

Verify that OT networks are properly segmented from IT and the internet:

# Check for unexpected routes between OT and IT subnets
ip route show | grep <OT_SUBNET>
traceroute <OT_DEVICE_IP>

Review firewall rules at the IT/OT boundary for any permissive rules that may have crept in:

iptables -L -n -v | grep -i accept

Monitor ICS-CERT and vendor advisory pages for IOCs and detection signatures tied to the Iran-linked OT campaign that prompted Rockwell's disconnect notice.

Source

• SecurityWeek — ICS Patch Tuesday: 8 Industrial Giants Publish New Security Advisories
• RedPacket Security — CVE-2026-25654 Siemens SINEC NMS