Ddos 
In a concerning update for the operational technology (OT) sector, the Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts for two distinct critical infrastructure devices where the vendors have gone silent. The advisories cover high-severity vulnerabilities in Avation’s Light Engine Pro and RISS SRL’s MOMA Seismic Station—both of which suffer from the same fatal flaw: leaving the front door completely unlocked.
The vulnerabilities allow attackers to walk right past security controls without a password, potentially causing physical disruption or blinding critical monitoring systems. To make matters worse, CISA reports that both vendors have failed to respond to coordination requests, leaving users in the dark.
The most severe alert concerns the Avation Light Engine Pro, a device used for advanced lighting control. Tracked as CVE-2026-1341, the vulnerability carries a critical CVSS score of 9.8.
The issue is a total lack of access control. The device “exposes its configuration and control interface without any authentication or access control,” effectively allowing anyone on the network to become an administrator.
The impact is absolute. As CISA states, “Successful exploitation of this vulnerability could allow an attacker to take full control of the device”. An attacker could theoretically manipulate lighting arrays, disrupt events, or disable the system entirely.
Despite the severity, a fix is nowhere to be found. The advisory notes that “Avation has not responded to CISA’s request to coordinate,” forcing the agency to simply encourage users to try contacting the vendor themselves.
The second alert targets the MOMA Seismic Station by RISS SRL, a specialized device used for monitoring ground vibrations and earthquakes. This vulnerability, CVE-2026-1632, has a CVSS score of 9.1 and affects version v2.4.2520 and prior.
Like the Avation unit, this device “exposes its web management interface without requiring authentication”.
For a scientific instrument designed to record precise data, the risks are significant. CISA warns that this open access “could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device”. In a worst-case scenario, an attacker could trigger a “denial-of-service condition,” effectively blinding sensors during a seismic event.
Echoing the situation with Avation, “RISS SRL did not respond to CISA’s request for coordination”.
With no patches available, organizations using these devices are urged to isolate them behind strict firewalls and VPNs immediately. As these reports show, you cannot rely on the vendor to lock the door for you.
Related Posts:
- Some Android vendors do not deploy the fully security updates
- CVE-2025-6203: DoS Flaw in HashiCorp Vault Allows Attackers to Crash Servers
- Using Firefox Google Container addon to isolate Google
- Windows Security Alert: Secure Boot Certificates Expiring in 2026, Update Now
- Hackers attack: The reason is the lack of network security professionals
Donate