Schneider Electric disclosed a CVSS 9.8 pre-authentication remote code execution flaw in Modicon M340 and M580 PLCs on 22 April. Working exploit code appeared seventy-two hours later. EU operators should patch within fourteen days, not the ninety-day cycle NIS2 minimum language permits.
Siemens ProductCERT released the Q2 2026 firmware bundle for SIMATIC S7-1500 controllers, containing five CVEs from CVSS 5.4 to 8.2. None are pre-authentication remote code execution. Thirty-day deployment window with internet-reachable units prioritized.