Cyber Centre Daily Advisory Digest — 2026-05-26 (2 advisories)
The Canadian Centre for Cyber Security issued two advisories concerning control systems. Moxa addressed multiple Linux kernel vulnerabilities (Copy Fail and Dirty Frag) across various product series, while ABB mitigated a concurrent connection handling issue in its PPT30 OPC-UA Server.
Authors: Canadian Centre for Cyber Security
- cve
- cve
- cve
- cve
Detection / HunterGoogle
What Happened
The Canadian Centre for Cyber Security released two security advisories regarding vulnerabilities in industrial control systems. The first affects multiple Moxa devices due to underlying Linux kernel flaws, and the second affects ABB's PPT30 Operating System due to issues handling concurrent connections. These vulnerabilities could potentially disrupt operations or compromise affected devices. Administrators should review the advisories and apply the recommended updates and mitigations to secure their systems.
Key Takeaways
- Moxa released updates for multiple product series to address Linux Kernel vulnerabilities (Copy Fail and Dirty Frag).
- ABB released mitigations for a concurrent connection handling vulnerability in the PPT30 OPC-UA Server.
- Users and administrators are encouraged to review the advisories and apply necessary updates and mitigations.
Affected Systems
- Moxa UC-1200A/2200A/3400A/4400A/8600A/8200 Series
- Moxa V1200/V3200/V3400 Series
- Moxa VM-1220 Series
- Moxa ioThinx 4530 Series
- Moxa AIG-302/AIG-502 Series
- Moxa BXP-A100/BXP-A101 Series
- Moxa DRP-A100 Series
- Moxa RKP-A110/RKP-C110 Series
- ABB PPT30 Operating System (versions prior to 1.8.0)
Vulnerabilities (CVEs)
- CVE-2026-31431
- CVE-2026-43284
- CVE-2026-43500
- CVE-2025-11482
Attack Chain
The advisory digest does not detail a specific attack chain. It highlights vulnerabilities in Moxa devices related to Linux kernel flaws (Copy Fail and Dirty Frag) and an issue in ABB's PPT30 OPC-UA Server regarding concurrent connection handling.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules are provided in the advisory digest.
Detection Engineering Assessment
EDR Visibility: None — These are ICS/OT devices (Moxa, ABB) which typically do not support standard EDR agents. Network Visibility: Medium — Network monitoring tools could potentially detect anomalous concurrent connections to the ABB OPC-UA server or unusual traffic to Moxa devices. Detection Difficulty: Hard — Detecting exploitation of these specific vulnerabilities requires deep packet inspection of OT protocols and baseline anomaly detection in ICS environments.
Required Log Sources
- Network flow logs
- ICS/OT asset management logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous spikes in concurrent connection requests to ABB PPT30 OPC-UA servers, which may indicate exploitation attempts of CVE-2025-11482. | Network flow logs, OT IDS alerts | Exploitation | Medium |
Control Gaps
- Lack of OT-specific network monitoring
- Unpatched ICS firmware
Key Behavioral Indicators
- Anomalous concurrent connections to OPC-UA servers
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Identify all Moxa and ABB devices listed in the advisories within your OT environment.
- Apply the latest firmware updates provided by Moxa for affected device series.
- Implement the mitigations suggested by ABB for the PPT30 Operating System.
Infrastructure Hardening
- Ensure ICS/OT devices are segmented from corporate networks and the internet.
- Restrict access to OPC-UA servers to authorized IP addresses only.
User Protection
- N/A
Security Awareness
- Ensure OT administrators are subscribed to vendor security advisories for timely patching.