CVE-2025-14510 in ABB Ability OPTIMAX allows full authentication bypass when Azure Active Directory SSO is enabled, with no fix available for version 6.1 or 6.2 - part of a six-advisory ABB batch published 30 April 2026 affecting EU water and energy operators.
CVE-2025-14510 enables complete authentication bypass in ABB OPTIMAX systems using Azure AD integration, demonstrating cloud identity risks in OT environments.
Schneider Electric disclosed a CVSS 9.8 pre-authentication remote code execution flaw in Modicon M340 and M580 PLCs on 22 April. Working exploit code appeared seventy-two hours later. EU operators should patch within fourteen days, not the ninety-day cycle NIS2 minimum language permits.
Q1 2026 NIS2 Article 21 audits across nine EU member states surfaced three implementation patterns: supply-chain flow-down versus technical validation, encryption-at-rest scope, and governance documentation depth. The divergences will narrow with ENISA Q4 guidance.
Siemens ProductCERT released the Q2 2026 firmware bundle for SIMATIC S7-1500 controllers, containing five CVEs from CVSS 5.4 to 8.2. None are pre-authentication remote code execution. Thirty-day deployment window with internet-reachable units prioritized.