This is what lands in subscriber inboxes every week.

• Authorize an out-of-cycle patch window for engineering workstations if your fleet runs the affected versions. The cost of the window is known; the cost of modified project files is not.
• Ask for your remote access inventory. The water-sector activity this week targeted VPN appliances and vendor remote access paths. If the inventory does not exist, that is the finding.
• Confirm your HMI exposure status. Four vendors' HMIs appeared in new internet-exposure scans this week. This is a five-minute Shodan check that prevents a board-level incident.

The week's most significant development is the continued shift of a tracked intrusion set toward water and wastewater utilities in North America. Activity observed this week consisted of credential harvesting against VPN portals and reconnaissance of vendor remote access paths rather than direct attacks on control systems. This matters because it matches the pre-positioning pattern documented in previous utility-sector campaigns: access is established quietly during a low-tension period and exercised later. Utilities in the 100 to 2,000 employee range remain the preferred target profile, precisely because they run the same control systems as major operators with a fraction of the security staffing.

In conjunction with this, the engineering workstation vulnerability disclosed this week changes the calculus for manufacturing and energy operators. Workstation-class vulnerabilities are disproportionately valuable to attackers because the workstation sits above the control logic: compromise it, and you inherit legitimate engineering authority over downstream PLCs. Based on the exploitation timelines of comparable disclosures, the window between public proof-of-concept and in-the-wild use has historically run two to four weeks. Plan accordingly.

The vulnerability allows an unauthenticated attacker with network reach to the workstation's project service to push modified project files. In an OT context this is not a data problem, it is a control problem: project files written outside change control become logic changes on downstream PLCs at the next deployment. The service binds to all interfaces by default, and in flat networks it is frequently reachable from the IT side.

• Patch: v4.7.2 resolves the issue. If your change process cannot absorb an out-of-cycle workstation patch this week, apply the compensating control below and schedule the patch for the next window.
• Compensating control: restrict 9600/tcp to the engineering VLAN at the OT firewall. The service has no legitimate cross-zone consumers in a properly segmented network.
• Verify: audit project file write events since 2026-06-04 against your maintenance calendar before declaring yourself clean.

The water-sector activity maps cleanly to MITRE ATT&CK for ICS. Observed techniques this week: T0822 (External Remote Services) for the VPN credential harvesting, T0846 (Remote System Discovery) once inside vendor access paths, and historical use of T0859 (Valid Accounts) for persistence in prior campaigns by the same set.

Subscriber issues include the full indicator set in copy-paste format with confidence ratings per indicator.