On June 30, CISA released eight industrial control systems advisories in a single day, covering products from Frangoteam's FUXA SCADA/HMI to Delta Electronics PLCs, Schneider Electric RTUs and data center controllers, and StoneFly storage systems, deployed across water, energy, and critical manufacturing. Read individually, each is routine vulnerability housekeeping. Read together, they are the same finding stated eight ways: the device trusts whoever can reach it.What did CISA actually find?
FUXA SCADA/HMI (ICSA-26-181-02, CVE-2026-13207). Versions 1.3.1 and prior contain an authentication bypass via dot-segment path normalization in the REST API. The router applies authentication middleware before normalizing paths, so a request to /api/./users slides past the check that protects /api/users. Three extra characters, and an unauthenticated attacker can read user accounts and role assignments in software running in critical manufacturing, energy, and water systems.
Delta Electronics DVP12SE (ICSA-26-181-07). The PLC exposes its Modbus TCP service with no authentication or access control. Any host that can reach the device can read and write coils, holding registers, operational memory, and relay states. That is direct, credential-free write access to process control.
StoneFly Storage Concentrator (ICSA-26-181-06). Multiple vulnerabilities allow attackers to execute arbitrary commands with root privileges, steal sensitive data, and impersonate legitimate users. Fixed in version 8.0.4.29.
The batch also covered Schneider Electric's EasyLogic T150 and Saitel DP RTU, Schneider's EcoStruxure IT Data Center Expert, and an XZ Utils vulnerability carried into B&R products.
Eight advisories, three critical sectors, one design flaw: the device trusts whoever can reach it.
Modbus dates to 1979. It was built for serial links inside a physically secured plant, where the network itself was the security boundary. There is no concept of identity in the protocol, because every device on the wire was assumed to be legitimate.
IT/OT convergence dissolved that isolation, but the trust assumption stayed behind. And the standard IT fix never made the journey. Certificates require CA connectivity, renewal cycles, and handshakes measured in hundreds of milliseconds, on devices with kilobytes of headroom that must respond in real time. PKI didn't fail in OT. It never arrived. The result is not a broken authentication layer, it is an absent one.
Patching FUXA fixes FUXA. It does nothing for the next product built on the same assumption, and CISA's advisory cadence makes clear there is always a next product. Meanwhile Delta's Modbus exposure isn't a bug in any meaningful sense. The protocol is working exactly as designed. There is no patch for a design that predates the idea of an adversary.
IEC 62443 points in the right direction with zones, conduits, and authenticated communication between them. But enforcing a conduit requires the very thing these devices lack: a way to verify who is on the other end of a connection.
The requirements are unforgiving. It must fit constrained devices, tolerate air-gapped and intermittent networks, add effectively zero latency, survive quantum attack, and run without a certificate authority or manual key handling.
This is what Autonomous Key Management™ was built for. AKM delivers encryption and independently verified sessions where PKI was never viable: a footprint under 100kb, handshakes under 1ms against PKI's 300–700ms, full air-gap capability, and quantum-resilient symmetric keys that refresh with every session. Every packet is verified without CA dependency, and no persistent credentials accumulate for an attacker to harvest. Applied to a device like the DVP12SE, “anyone who can reach it” becomes “only sessions that verify,” and IEC 62443 conduits become enforceable at the protocol layer.
The next advisory batch is already queued somewhere in a disclosure pipeline. The vendors will differ. The root cause won't, until the authentication layer OT never had finally ships with the traffic itself.
AKMSecure delivers a patented Autonomous Key Management™ protocol built to replace outdated PKI approaches with a dynamic, quantum-secure, air-gapped-capable architecture. Instead of relying on persistent credentials that can be stolen, reused, or abused, AKM enables independently verified sessions with no standing privileges left behind. The result is a model that better aligns with Zero Trust principles, reduces certificate-based risk, and supports resilient operations across enterprise IT, OT and Tactical Edge environments. Built to NSA-grade security standards and deployable as a lightweight SDK, AKMSecure helps organizations modernize trust at the protocol layer without rebuilding everything around it.