Iranian-affiliated actors exploited internet-exposed Rockwell PLCs across U.S. OT environments while CISA added Fortinet FortiClient EMS (CVE-2026-35616) to the Known Exploited Vulnerabilities catalog — both elevate near-term operational risk for Energy and federal IT sectors (2026-04-01 → 2026-04-07).
| ATTRIBUTE | VALUE |
|---|---|
| Risk Level | HIGH |
| Confidence | HIGH |
| Key Finding | Iranian-affiliated actors exploited internet-exposed PLCs; CISA added Fortinet FortiClient EMS (CVE-2026-35616) to KEV — both require immediate OT owner action. |
| Primary Action | Inventory and isolate internet-accessible PLCs; execute telemetry hunts for advisory-provided observables; apply KEV remediation per BOD 22-01. |
During 2026-04-01 → 2026-04-07, authoritative agency advisories converged on two urgent themes: (1) Iranian-affiliated actors exploiting internet-exposed PLCs with TTPs that include Dropbear SSH and project-file extraction; and (2) a CISA Known Exploited Vulnerabilities (KEV) addition (CVE-2026-35616) for Fortinet FortiClient EMS requiring mandatory remediation under BOD 22-01 for federal agencies.
→ Both items materially increase near-term operational risk to owners/operators of OT and widely deployed vendor products.
| SCOPE ITEM | DETAILS |
|---|---|
| Focus | U.S.-based threats and advisories affecting Telecommunications, Energy, and Transportation sectors |
| Time Period | 2026-04-01 → 2026-04-07 UTC |
| Sources | Threat intelligence feeds, government advisories, OSINT research, sector collection artifacts, vendor advisories |
| Methodology | Reviewed structured claims and synthesized analysis; validated findings against sector-specific collection artifacts and authoritative agency advisories |
| # | FINDING | EVIDENCE | RISK |
|---|---|---|---|
| 1 | CISA added CVE-2026-35616 (Fortinet FortiClient EMS) to the KEV catalog on 2026-04-06, requiring mandatory remediation under BOD 22-01. | CISA KEV advisory and cross-sector regulatory collection | HIGH |
| 2 | Joint Federal Advisory AA26-097A (FBI/CISA/NSA/DOE/EPA, 2026-04-07) documents Iranian-affiliated actors exploiting internet-exposed Rockwell/Allen-Bradley PLCs — TTPs include Dropbear SSH, remote engineering tool misuse, and project-file extraction. | Joint federal advisory and energy collection artifacts | HIGH |
| 3 | CISA revised ICS Advisory ICSA-25-037-02 for Schneider Electric EcoStruxure (CVE-2024-2658) on 2026-04-02, adding Transportation Systems as affected sectors. | CISA ICS advisory (Schneider) | MEDIUM |
| 4 | No confirmed U.S. telecommunications incidents identified during the 7-day window. | Telecom collection and authoritative sources | LOW |
| 5 | No confirmed U.S. transportation cyber-physical incidents; international GPS/AIS disruptions did not show authoritative U.S. impact. | Transportation collection and advisory searches | LOW |
Victim counts and scale of PLC intrusions remain unverified. Telemetry enrichment (netflow, firewall, VPN, EDR) and vendor PSIRT/CSIRT disclosures are required to strengthen confidence.
| CVE | CVSS | AFFECTED PRODUCT | EXPLOITATION | FIX / ACTION |
|---|---|---|---|---|
| CVE-2026-35616 | N/A | Fortinet FortiClient EMS | Added to CISA KEV 2026-04-06 | Follow BOD 22-01 timelines; coordinate testing for availability impact |
| CVE-2021-22681 | N/A | Rockwell Automation Logic Controllers | Historically exploited in PLC intrusions per joint advisory | Apply vendor mitigations and firmware updates where applicable |
| CVE-2024-2658 | 7.8 | Schneider Electric EcoStruxure | ICS advisory revised 2026-04-02; Transportation affected | Apply vendor mitigations/patch; validate operational continuity |
⚠ INDICATORS OF COMPROMISE (DEFANGED)
| TYPE | INDICATOR | CONTEXT | RISK |
|---|---|---|---|
| IP | 135.136.1[.]133 | Advisory-provided example IP for log-hunting; correlate before blocking | MED |
| IP Range | 185.82.73[.]162–185.82.73[.]171 | Advisory example cluster; correlate in telemetry before blocking | MED |
No validated malicious file hashes were published in-window by authoritative sources for U.S. incidents.
Key point: No confirmed U.S. telecom incidents in-window. Salt Typhoon and other China-nexus campaigns remain relevant but were not observed in the 7-day period.
Recommendation: Continue CVE monitoring for major vendors; plan coordinated remediation windows where Fortinet or other vendor updates are required.
Key point: Joint Federal Advisory AA26-097A is actionable — internet-exposed Rockwell PLCs were exploited, enabling project-file exfiltration and HMI/SCADA manipulation.
Immediate Actions: Inventory internet-accessible PLCs, block direct internet access or place behind authenticated jump hosts, validate backups and physical mode switches, hunt logs for Dropbear SSH and advisory IPs.
Key point: Transportation systems identified as affected by Schneider EcoStruxure (CVE-2024-2658). No confirmed U.S. cyber-physical incidents in-window.
Recommendation: Apply vendor mitigations for CVE-2024-2658 and perform integrity checks on affected OT components.
Shared exposure: Internet-exposed PLCs and widely deployed vendor management products are a cross-sector risk vector. Actor techniques (Dropbear SSH, remote engineering tool misuse, project-file extraction) are consistent across Energy, Water, and related OT environments.
Cascading risk: KEV-driven remediation and uncoordinated patching could produce availability impacts that ripple into telecom and transport operational channels. Coordinate maintenance windows to reduce risk.
| ALERT | DATE | ACTION REQUIRED |
|---|---|---|
| CISA KEV — CVE-2026-35616 (Fortinet FortiClient EMS) | 2026-04-06 | Federal agencies must follow BOD 22-01 timelines; non-federal owners/operators should inventory and plan remediation/testing. |
| Joint Federal Advisory AA26-097A (PLC exploitation) | 2026-04-07 | Immediate OT hardening: remove internet exposure, validate backups, monitor failed ports, hunt for provided IP observables. |
| CISA ICS Advisory ICSA-25-037-02 (Schneider EcoStruxure) | 2026-04-02 | Apply vendor mitigations for CVE-2024-2658 and validate operational continuity for transportation systems. |
1. Inventory and isolate internet-accessible PLCs and HMIs; block direct internet access or require authenticated jump hosts. — OT Engineering / Network Ops
2. Execute telemetry hunts for advisory-provided IPs and Dropbear SSH activity. — SOC / OT SOC
3. Apply KEV-mandated remediation for CVE-2026-35616 per BOD 22-01. — Patch Management / IT Ops
1. Patch or apply vendor mitigations for Schneider EcoStruxure CVE-2024-2658 and validate system behavior.
2. Harden SSH and remote engineering endpoints: limit source IPs, enforce MFA, rotate keys, replace Dropbear where feasible.
DETECTION QUERIES
| SOURCE TYPE | DESCRIPTION |
|---|---|
| Gov Advisory | Joint Federal Advisory AA26-097A (FBI/CISA/NSA/DOE/EPA/US Cyber Command) — PLC exploitation (2026-04-07) |
| CISA KEV | CISA KEV entry for CVE-2026-35616 (Fortinet FortiClient EMS) — added 2026-04-06 |
| ICS Advisory | CISA ICS Advisory ICSA-25-037-02 (Schneider EcoStruxure, CVE-2024-2658) — revised 2026-04-02 |
| OSINT / Media | Corroborating coverage and vendor notes included in sector collection artifacts |
.ACD project files, and targeting of ports 44818, 2222, 102, 22, and 502. HIGH — Joint Federal Advisory AA26-097A / Energy Collection Notes135[.]136[.]11[.]33 and ranges in 185[.]82[.]73[.]x) for log-hunting and investigative use. MEDIUM — Joint Federal Advisory AA26-097AGenerated by Protos AI · TLP:CLEAR · Weekly Brief #20 · 2026-04-07
Protos AI automates CTI investigations using agentic AI — from OSINT collection to structured analysis. Speak to our team to see it in action.
.png)