VYPR
Vypr IntelligenceAI-generatedMay 29, 2026· 9 CVEs

CISA CSAF Batch: Nine ICS Vulnerabilities Spanning Maritime, Medical, and Surveillance Gear

CISA published nine ICS advisories on May 29 covering hard-coded credentials, plaintext passwords, unauthenticated resets, and an XSS flaw across four industrial products from Danelec MacGregor, PUSR, CP Plus, KMW, and Fourth Frontier.

Key findings

  • Five CVEs target the Danelec MacGregor VDR G4e, all related to default, hard-coded, or poorly hashed credentials
  • PUSR USR-W610 converter ships with plaintext admin credentials in firmware (CVE-2026-7786, CVSS 9.8)
  • KMW CCTV cameras allow unauthenticated remote admin password reset (CVE-2026-5386, CVSS 9.1)
  • Fourth Frontier Frontier X2 wearable lacks BLE pairing auth, risking patient harm (CVE-2026-5768, CVSS 8.8)
  • CP Plus NVR has stored XSS that executes in admin browsers (CVE-2026-6824, CVSS 8.4)
  • All nine CVEs were published by CISA within a one-hour window on May 29, 2026

On May 29, 2026, CISA's Industrial Control Systems (ICS) team released a coordinated batch of nine advisories covering vulnerabilities across five distinct products from four vendors — a rare multi-vendor disclosure event that underscores the breadth of credential-management failures in operational technology. The advisories, published within a one-hour window, touch maritime voyage data recorders, industrial Wi-Fi serial converters, network video recorders, CCTV cameras, and a wearable medical heart monitor. The common thread: hard-coded or default credentials, plaintext password storage, and authentication bypass flaws that could give attackers full device control.

Danelec MacGregor Voyage Data Recorder G4e — Five CVEs

The largest single-product cluster targets the Danelec MacGregor Voyage Data Recorder (VDR) G4e, a maritime safety device used worldwide in the Transportation Systems sector. Five CVEs were disclosed together, all rooted in credential mismanagement:

  • CVE-2026-42941 (CVSS 8.3) and CVE-2026-42929 (CVSS 8.3) describe default and hard-coded credentials with no enforced password change, allowing an attacker to log in with known manufacturer-set passwords.
  • CVE-2026-44611 (CVSS 5.4) notes that passwords are stored using a hashing method that limits password length and is susceptible to brute-force attacks.
  • CVE-2026-42951 (CVSS 5.4) allows an authenticated user to download a device backup containing account data and password hashes.
  • CVE-2026-40425 (CVSS 5.7) lets an administrator directly edit authentication-sensitive files through the web interface, potentially changing the root password.

According to CISA's advisory ICSA-26-148-01, all versions of the VDR G4e prior to V5.250 are affected. Successful exploitation of any of these flaws could result in an attacker gaining administrator access to the device. The vendor, headquartered in Denmark, has deployed the VDR G4e worldwide across the maritime transportation sector.

Jinan USR IOT (PUSR) USR-W610 Converter — Plaintext Credentials in Firmware

CVE-2026-7786 (CVSS 9.8, Critical) affects the Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter running firmware version 7.03T.07. The device firmware contains plaintext administrative credentials embedded directly in the firmware image. An attacker who obtains the firmware can extract these credentials through static analysis and use them to authenticate to device services. As CISA notes in ICSA-26-148-02, successful exploitation could result in full administrator access to the device. The product is deployed worldwide in the Critical Manufacturing sector.

CP Plus 8 Ch. Network Video Recorder — Stored XSS

CVE-2026-6824 (CVSS 8.4, High) affects the CP Plus CP-UNR-108F1 8-channel Network Video Recorder (hardware V1.0, web V3.2.7.128806, system V4.001.00AT009.0.R). The vulnerability is a stored cross-site scripting (XSS) flaw caused by insufficient sanitization of user-supplied input in specific functional modules. An attacker can inject malicious scripts that are persistently stored on the device backend. When an administrator or authenticated user accesses the affected interface, the script executes in their browser, potentially compromising sessions, executing unauthorized actions, or exposing sensitive data. CISA's advisory ICSA-26-148-05 notes the device is used across Commercial Facilities, Government Services, Critical Manufacturing, Financial Services, and Transportation Systems sectors.

KMW CCTV Security Cameras — Unauthenticated Password Reset

CVE-2026-5386 (CVSS 9.1, Critical) affects KMW CCTV Security Camera models KM-IP521 (firmware IPCAM_V4.04.91.230307) and KM-IP421 (firmware IPCAM_V4.04.53.210416). The vulnerability allows an unauthenticated attacker to remotely reset the administrator password to a known value, granting full access to camera feeds and settings. CISA's advisory ICSA-26-148-06 warns that successful exploitation may grant full unauthorized access to camera feeds and settings. The Romanian-headquartered vendor's cameras are deployed worldwide across Commercial Facilities, Government Services, Critical Manufacturing, Financial Services, and Transportation Systems.

Fourth Frontier Frontier X2 — Unauthenticated BLE Control

CVE-2026-5768 (CVSS 8.8, High) affects the Fourth Frontier Frontier X2 wearable heart monitor and its companion mobile applications (Android versions prior to v15.0.0, iOS versions prior to v25.0.0). The device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. An attacker within BLE range can perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, and — critically — changing clinical readings. CISA's medical advisory ICSMA-26-148-01 warns this could lead to device control and patient harm. The product is deployed worldwide in the Healthcare and Public Health sector.

Response and Mitigations

CISA has published individual advisories for each product with specific mitigation guidance. For the Danelec MacGregor VDR G4e, users should update to version V5.250 or later. For the PUSR USR-W610, CISA recommends contacting the vendor for firmware updates. CP Plus users should apply the latest firmware from the manufacturer. KMW camera owners should contact KMW for patched firmware. Fourth Frontier has released Frontier X Android app v15.0.0 and iOS app v25.0.0 to address the BLE authentication gap; the Frontier X2 hardware itself remains at end-of-life with no firmware fix available, and CISA recommends discontinuing use.

Why This Batch Matters

This disclosure event is notable not for a single critical vulnerability but for the pattern it reveals: across maritime, manufacturing, surveillance, and healthcare sectors, the same fundamental credential and authentication failures persist. Default passwords, hard-coded credentials, plaintext storage, and missing authentication for critical functions are well-understood weaknesses, yet they continue to appear in new and deployed OT/IoT products. For asset owners in critical infrastructure, this batch serves as a reminder to audit all connected devices — not just the ones on the corporate network — for basic credential hygiene.

AI-written article. Grounded in 9 CVE records listed below.