Industrial Router Attacks, CISA KEV Nomination Form, and Gas Station Vulnerabilities Highlight Diverse Threats
A new campaign targets industrial routers with default credentials, CISA opens KEV nominations to the public, and gas station systems remain exposed to unpatched flaws.
A wave of security incidents this week underscores the breadth of threats facing critical infrastructure and everyday systems. A new campaign is actively targeting industrial routers by exploiting default credentials, leading to network intrusions that could compromise operational technology environments. Separately, CISA has introduced a public nomination form for its Known Exploited Vulnerabilities (KEV) catalog, allowing researchers and vendors to directly submit vulnerabilities for inclusion. Meanwhile, gas station systems continue to be vulnerable to hacking due to unpatched flaws, and a vulnerability in Huawei routers reportedly triggered a telecom blackout.
The industrial router campaign highlights a persistent weakness in operational technology (OT) security: the use of default or weak credentials. Attackers are scanning for routers with factory-set usernames and passwords, gaining initial access to networks that often control critical processes in manufacturing, energy, and utilities. Once inside, they can move laterally, deploy ransomware, or exfiltrate sensitive data. This tactic is not new but remains effective because many organizations fail to change default credentials on network devices, especially in legacy or hard-to-reach OT environments.
CISA's new KEV nomination form marks a significant shift in vulnerability disclosure. Previously, the agency relied on its own analysis and reports from trusted partners to populate the catalog. Now, any researcher, vendor, or industry partner can submit a vulnerability for consideration, provided it meets the criteria of being actively exploited and having a clear remediation path. This crowdsourced approach aims to accelerate the identification and patching of exploited bugs, reducing the window of opportunity for attackers. The form is available on CISA's website and is expected to increase the volume and diversity of submissions.
Gas station systems remain a surprisingly soft target. Many point-of-sale (POS) systems and fuel pump controllers run outdated software with known vulnerabilities that are rarely patched. Attackers can remotely manipulate pump prices, steal payment card data, or even shut down operations. The exposure is widespread, affecting both independent stations and large chains. Security researchers have repeatedly demonstrated these flaws, but remediation lags due to cost concerns, lack of awareness, and the difficulty of updating embedded systems in the field.
A separate incident involving Huawei routers reportedly caused a telecom blackout, though details remain scarce. The vulnerability, which may have been exploited or triggered accidentally, disrupted services for a significant number of users. Huawei has not yet issued a public statement, but the event underscores the risks associated with widely deployed networking equipment from any vendor. Telecom providers are urged to audit their infrastructure for similar flaws and ensure that backup systems are in place.
Taken together, these stories illustrate the fragmented nature of cybersecurity risk. From industrial control systems to consumer-facing gas pumps, attackers are exploiting low-hanging fruit—default credentials, unpatched software, and slow disclosure processes. CISA's move to democratize KEV nominations is a positive step, but it will take concerted effort from vendors, operators, and regulators to close the gaps that leave critical systems exposed.