The Operational Technology Information Sharing and Analysis Center (OT-ISAC) released a comprehensive vulnerability advisory on April 20, 2026, identifying critical security flaws across a wide array of industrial control systems (ICS) and management platforms. The report consolidates multiple disclosures from April 2026, highlighting systemic risks in legacy field controllers, programmable logic controller (PLC) ecosystems, and industrial wireless infrastructure. According to the advisory, these vulnerabilities expose operational technology (OT) environments to unauthenticated access, protocol abuse, and credential compromise.
A significant portion of the advisory focuses on the BASControl20 controller, which is now classified as obsolete with no available security patches. OT-ISAC warned that this hardware remains in active use across various facilities, leaving them vulnerable to exploits that cannot be remediated through standard software updates. Additionally, the report identifies critical authorization bypass flaws in AVEVA pipeline simulation software. These vulnerabilities could allow unauthorized actors to circumvent security protocols and gain access to sensitive pipeline management functions.
The advisory also details security weaknesses in the engineering and management layers of industrial networks. Horner XL4 and XL7 devices utilizing Cscape software were found to have weak password protections, while Siemens industrial networking products exhibit vulnerabilities in their management-plane components. At the engineering workstation level, OT-ISAC identified flaws in Delta ASDA-Soft and the Mitsubishi GENESIS64 and ICONICS Suite. These weaknesses specifically target project workflows and historian data, potentially compromising the integrity of operational records and cached credentials.
Beyond core industrial hardware, the advisory highlights risks in OT-adjacent systems such as physical access controls. Vulnerabilities in Anviz CX2 Lite and CrossChex software demonstrate how physical security infrastructure can serve as an entry point for broader industrial network compromise. OT-ISAC noted that while there have been no confirmed reports of active exploitation at the time of publication, the potential operational impact is high. Risks include direct threats to process safety, the loss of data integrity in historian systems, and the degradation of operator training assurance.
To mitigate these risks, OT-ISAC recommends that industrial operators prioritize patching for all supported software and immediately isolate or replace unsupported legacy systems. The organization also emphasized the need for restricted network exposure and enhanced monitoring of management interfaces and remote-access pathways. The advisory stresses that the likelihood of exploitation is strongly correlated with the degree of network exposure and the age of the deployment, with threat activity expected to increase over the next 30 to 90 days as the details of these vulnerabilities become more widely known.