Alerts

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA — Tue, 14 Apr 26 12:00:00 +0000

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA Adds Seven Known Exploited Vulnerabilities to Catalog

CISA — Mon, 13 Apr 26 12:00:00 +0000

CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability
CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
CVE-2023-36424 Microsoft Windows Out-of-Bounds Read Vulnerability
CVE-2025-60710 Microsoft Windows Link Following Vulnerability
CVE-2026-21643 Fortinet SQL Injection Vulnerability
CVE-2026-34621 Adobe Acrobat and Reader Prototype Pollution Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 08 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-1340 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Mon, 06 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-35616 - Fortinet FortiClient EMS Improper Access Control Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 02 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-3502 TrueConf Client Download of Code Without Integrity Check Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 01 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-5281 Google Dawn Use-After-Free Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Mon, 30 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-3055 Citrix NetScaler Out-of-Bounds Read Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Fri, 27 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-53521 F5 BIG-IP Remote Code Execution Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 26 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-33634 Aqua Security Trivy Embedded Malicious Code Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 25 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-33017 Langflow Code Injection Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds Five Known Exploited Vulnerabilities to Catalog

CISA — Fri, 20 Mar 26 12:00:00 +0000

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-31277 Apple Multiple Products Buffer Overflow Vulnerability
CVE-2025-32432 Craft CMS Code Injection Vulnerability
CVE-2025-43510 Apple Multiple Products Improper Locking Vulnerability
CVE-2025-43520 Apple Multiple Products Classic Buffer Overflow Vulnerability
CVE-2025-54068 Laravel Livewire Code Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 19 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-20131 Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 18 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-20963 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 18 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-66376 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization

CISA — Wed, 18 Mar 26 12:00:00 +0000

CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.¹ To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions.

To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software:

Use principles of least privilege when designing administrative roles.
- Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to.
Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
- Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune.
Configure access policies to require Multi Admin Approval in Microsoft Intune.
- Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.

Additionally, CISA recommends reviewing the following resources to strengthen defenses against similar malicious cyber activity:

Microsoft resources:
- For recommendations on securing Microsoft Intune, see Best practices for securing Microsoft Intune.
- For guidance on implementing Multi Admin Approval in Microsoft Intune, see Use Access policies to implement Multi Admin Approval.
- For recommendations on configuring Microsoft Intune using zero trust principles, see Configure Microsoft Intune for increased security.
- For guidance on implementing Microsoft Intune RBAC policies, see Role-based access control (RBAC) with Microsoft Intune.
- For guidance on deploying Privileged Identity Management (PIM) across Microsoft Intune, Entra ID, and other Microsoft software, see Plan a Privileged Identity Management deployment.
CISA resources:
- For guidance on implementing phishing-resistant multifactor authentication (MFA), see Implementing Phishing-Resistant MFA.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Acknowledgements

Microsoft and Stryker contributed to this alert.

Notes

1 For updates from Stryker on the incident, see “Customer Updates: Stryker Network Disruption,” Stryker, last modified March 15, 2026, https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Mon, 16 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-47813 Wing FTP Server Information Disclosure Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA — Fri, 13 Mar 26 12:00:00 +0000

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-3909 Google Skia Out-of-Bounds Write Vulnerability
CVE-2026-3910 Google Chromium V8 Unspecified Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 11 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-68613 n8n Improper Control of Dynamically-Managed Code Resources Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds Three Known Exploited Vulnerabilities to Catalog

CISA — Mon, 09 Mar 26 12:00:00 +0000

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2021-22054 Omnissa Workspace ONE Server-Side Request Forgery
CVE-2025-26399 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds Five Known Exploited Vulnerabilities to Catalog

CISA — Thu, 05 Mar 26 12:00:00 +0000

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2017-7921 Hikvision Multiple Products Improper Authentication Vulnerability
CVE-2021-22681 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA — Tue, 03 Mar 26 12:00:00 +0000

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA — Wed, 25 Feb 26 12:00:00 +0000

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2022-20775 Cisco Catalyst SD-WAN Path Traversal Vulnerability
CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems

CISA — Wed, 25 Feb 26 12:00:00 +0000

The purpose of this Alert is to provide resources for organizations with Cisco Software-Defined Wide-Area Networking (SD-WAN) systems, including Federal Civilian Executive Branch (FCEB) agencies, to address ongoing exploitation of multiple vulnerabilities. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 25, 2026. As a result of the malicious cyber activity and vulnerabilities involving Cisco SD-WAN systems, CISA has outlined requirements for FCEB agencies in Emergency Directive (ED) 26-03 to inventory Cisco SD-WAN systems, update them, and assess compromise.

CISA and partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems of organizations, globally. These actors have been observed exploiting a previously undisclosed authentication bypass vulnerability, CVE-2026-20127, for initial access before escalating privileges using CVE-2022-20775 and establishing long-term persistence in Cisco SD-WAN systems.

CISA, National Security Agency (NSA), and international partners Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (Cyber Centre), New Zealand National Cyber Security Centre (NCSC-NZ), and United Kingdom National Cyber Security Centre (NCSC-UK), hereafter the “authoring organizations,” strongly urge network defenders to immediately 1) inventory all in-scope Cisco SD-WAN systems, 2) collect artifacts, including virtual snapshots and logs off of SD-WAN systems to support threat hunt activities, 3) fully patch Cisco SD-WAN systems with available updates, 4) hunt for evidence of compromise, and 5) concurrently review Cisco’s latest security advisories, Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability and Cisco Catalyst SD-WAN Vulnerabilities, and implement Cisco’s SD-WAN Hardening Guidance.¹

To address malicious activity involving vulnerable Cisco SD-WAN systems, CISA issued Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems, which outlines requirements for FCEB agencies to inventory Cisco SD-WAN systems, update them, and assess compromise. Further, CISA released Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems to provide prescriptive actions for FCEB agencies.

Cisco’s Catalyst SD-WAN Hardening Guide recommends that network defenders address:

Network perimeter controls: Ensure control components are behind a firewall, isolate virtual private network (VPN) 512 interfaces, and use internet protocol (IP) blocks for manually provisioned edge IPs.
SD-WAN manager access: Replace the self-signed certificate for the web user interface.
Control and data plane security: Use pairwise keys.
Session timeout: Limit to the shortest period possible.
Logging: Forward to a remote syslog server.

CISA and the authoring organizations are providing the following resources: 

CISA: Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems
CISA: Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems
Cisco: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Cisco: Cisco Catalyst SD-WAN Vulnerabilities
Cisco: Cisco Catalyst SD-WAN Hardening Guide
ASD’s ACSC: Cisco SD-WAN Threat Hunt Guide, co-sealed by CISA, NSA, Cyber Centre, NCSC-NZ, and NCSC-UK. This guide, based on investigative data, supports network defenders’ detection of and response to the malicious actors’ threat activity

Acknowledgements

NSA, ASD’s ACSC, Cyber Centre, NCSC-NZ, and NCSC-UK contributed to this alert.

Disclaimer

Notes

1 Cisco Security, “Cisco Catalyst SD-WAN Hardening Guide,” last modified February 9, 2026, https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Tue, 24 Feb 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-25108 Soliton Systems K.K. FileZen OS Command Injection Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA — Fri, 20 Feb 26 12:00:00 +0000

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-49113 RoundCube Webmail Deserialization of Untrusted Data Vulnerability
CVE-2025-68461 RoundCube Webmail Cross-site Scripting Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA — Wed, 18 Feb 26 12:00:00 +0000

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2021-22175 GitLab Server-Side Request Forgery (SSRF) Vulnerability
CVE-2026-22769 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds Four Known Exploited Vulnerabilities to Catalog

CISA — Tue, 17 Feb 26 12:00:00 +0000

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2008-0015 Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
CVE-2020-7796 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2024-7694 TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability
CVE-2026-2441 Google Chromium CSS Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Fri, 13 Feb 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-1731 BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds Four Known Exploited Vulnerabilities to Catalog

CISA — Thu, 12 Feb 26 12:00:00 +0000

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2024-43468 Microsoft Configuration Manager SQL Injection Vulnerability
CVE-2025-15556 Notepad++ Download of Code Without Integrity Check Vulnerability
CVE-2025-40536 SolarWinds Web Help Desk Security Control Bypass Vulnerability
CVE-2026-20700 Apple Multiple Buffer Overflow Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps

CISA — Tue, 10 Feb 26 12:00:00 +0000

The purpose of this Alert is to amplify Poland’s Computer Emergency Response Team (CERT Polska’s) Energy Sector Incident Report published on Jan. 30, 2026, and highlight key mitigations for Energy Sector stakeholders.

In December 2025, a malicious cyber actor(s) targeted and compromised operational technology (OT) and industrial control systems (ICS) in Poland’s Energy Sector—specifically renewable energy plants, a combined heat and power plant, and a manufacturing sector company—in a cyber incident. The malicious cyber activity highlights the need for critical infrastructure entities with vulnerable edge devices to act now to strengthen their cybersecurity posture against cyber threat activities targeting OT and ICS.

A malicious cyber actor(s) gained initial access in this incident through vulnerable internet-facing edge devices, subsequently deploying wiper malware and causing damage to remote terminal units (RTUs). The malicious cyber activity caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices. While the affected renewable energy systems continued production, the system operator could not control or monitor them according to their intended design.¹

CERT Polska’s incident report highlights:

Vulnerable edge devices remain a prime target for threat actors.
- As indicated by CISA’s Binding Operational Directive (BOD) 26-02: Mitigating Risk From End-of-Support Edge Devices, end-of-support edge devices pose significant risks.
OT devices without firmware verification can be permanently damaged.
- Operators should prioritize updates that allow firmware verification when available; if updates are not immediately feasible, ensure that cyber incident response plans account for inoperative OT devices to mitigate prolonged outages.
Threat actors leveraged default credentials, a vulnerability not limited to specific vendors, to pivot onto the HMI and RTUs.
- Operators should immediately change default passwords and establish requirements for integrators or OT suppliers to enforce password changes in the future.

CISA and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (DOE CESER) urge OT asset owners and operators to review the following resources for more information about the malicious activity and mitigations:

CERT Polska’s Energy Sector Incident Report - 29 December 2025.
CISA’s joint fact sheet with FBI, EPA, and DOE Primary Mitigations to Reduce Cyber Threats to Operational Technology.
DOE’s Energy Threat Analysis Center’s threat advisories.

Acknowledgements

DOE CESER and CERT Polska contributed to this Alert.

Disclaimer

Notes

CERT Polska, “Energy Sector Incident Report - 29 December 2025,” Naukowa i Akademicka Sieć Komputerowa Poland, last modified January 30, 2026, https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/.