About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
CISA and partner agencies warned on April 7, 2026 that Iranian-affiliated advanced persistent threat actors are actively targeting internet-facing operational technology devices, including Rockwell Automation and Allen-Bradley programmable logic controllers, across U.S. critical infrastructure. Affected sectors include Government Services and Facilities, Water and Wastewater Systems, and Energy.
This is confirmed real-world activity. The advisory states the activity has already led to PLC disruptions across several U.S. organizations, including operational disruption and financial loss caused by manipulation of project files and data displayed on HMI and SCADA systems.
The threat involves direct targeting of exposed operational technology assets rather than traditional enterprise entry points. Attackers are leveraging internet-accessible PLCs to gain access and interfere with industrial processes.
Observed impacts include manipulation of HMI and SCADA data, persistence on OT devices, and disruption of operational processes. This activity aligns with previously reported campaigns attributed to the Iranian-aligned group CyberAv3ngers, which has historically targeted industrial control systems and water infrastructure.
Primary advisory:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a