Siemens, Schneider Electric, and Phoenix Contact Address Vulnerabilities in ICS and OT Products for June 2026 Patch Tuesday

ICS Patch Tuesday: Siemens, Schneider, Phoenix Contact Release Critical Advisories

HIGH
June 10, 2026
4m read
Industrial Control SystemsVulnerabilityPatch Management

Related Entities

Organizations

Siemens Schneider Electric Phoenix ContactCISA

Products & Tech

Siemens Sinec INSSiprotec 5WinCC Certificate ManagerSchneider PowerLogic P7EcoStruxure IT Data Center ExpertPhoenix Contact CHARX SEC-3xxx

CVE Identifiers

CVE-2025-15467
CRITICAL
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T0886Lateral Movement

Remote Services

T0829Impact

Inhibit Response Function

T0854Initial Access

Supply Chain Compromise

T0840Inhibit Response Function

Modify Control Logic

Full Report

Executive Summary

On June 10, 2026, major vendors of Industrial Control Systems (ICS) and Operational Technology (OT) released a series of security advisories as part of the monthly patch cycle. Siemens, Schneider Electric, and Phoenix Contact all issued patches for vulnerabilities affecting products used in critical infrastructure sectors like manufacturing, energy, and automotive. Siemens' updates were the most extensive, addressing multiple high-severity flaws in industrial networking software, protection relays, and a critical OpenSSL vulnerability impacting dozens of product families. Schneider Electric fixed issues in its power management and data center products, while Phoenix Contact patched a flaw in electric vehicle charging controllers. These coordinated disclosures underscore the increasing focus on securing the cyber-physical systems that underpin modern industry and the importance of timely patch management in OT environments.

Vulnerability Details

Key vulnerabilities addressed by the vendors include:

Siemens

Siemens released four advisories covering several vulnerabilities:

  • Sinec INS: Multiple flaws including authenticated command execution, information disclosure, privilege escalation, and password exposure in its industrial network services platform.
  • Siprotec 5: A denial-of-service (DoS) and potential code execution vulnerability in its widely used protection relays.
  • WinCC Certificate Manager: A sensitive information exposure weakness.
  • OpenSSL Vulnerability (CVE-2025-15467): A critical remote code execution flaw in the OpenSSL library that affects a vast range of Siemens products, including Scalance, Simatic, Sinamics, and Sinec devices.

Schneider Electric

Schneider Electric released three advisories:

  • PowerLogic P7 Series: Denial-of-service and command execution vulnerabilities.
  • EasyLogic T150 & Saitel DP RTU: Credential exposure issues in its Remote Terminal Unit and controller products.
  • EcoStruxure IT Data Center Expert: An information disclosure flaw.

Phoenix Contact

Phoenix Contact released one advisory:

  • CHARX SEC-3xxx: An unauthenticated log download vulnerability in the firmware of its charging controllers for electric vehicles.

Affected Systems

The list of affected products is extensive and spans multiple industries. Asset owners should consult the specific advisories from each vendor for a complete list of affected product models and versions.

  • Siemens: Sinec INS, Siprotec 5, WinCC, Scalance, Simatic, Sinamics, and more.
  • Schneider Electric: PowerLogic P7, EasyLogic T150, Saitel DP, EcoStruxure IT Data Center Expert.
  • Phoenix Contact: CHARX SEC-3xxx series charging controllers.

Impact Assessment

Vulnerabilities in ICS/OT products carry the risk of physical consequences. Successful exploitation could lead to:

  • Operational Disruption: A DoS attack against a protection relay (Siprotec 5) or RTU could cause a shutdown of an electrical substation or manufacturing process.
  • System Manipulation: Command execution flaws (PowerLogic P7, Sinec INS) could allow an attacker to alter the logic of industrial processes, leading to equipment damage, unsafe conditions, or production of faulty goods.
  • Information Theft: Flaws leading to information disclosure or log downloads could expose sensitive network configurations or operational data, enabling attackers to plan more sophisticated future attacks.
  • Loss of View/Control: Compromise of HMI systems like WinCC could prevent operators from monitoring or controlling the industrial process.

Cyber Observables — Hunting Hints

Security teams in OT environments should hunt for signs of exploitation:

Type
Network Traffic Pattern
Value
Unexpected network connections to or from engineering workstations or controllers.
Description
Look for protocols like SSH, FTP, or HTTP to devices that normally only use OT protocols.
Type
Log Source
Value
PLC/RTU Logs
Description
Monitor for unexplained logic changes, firmware updates, or mode changes (e.g., from 'Run' to 'Program').
Type
Process Name
Value
openssl.exe
Description
On Windows-based engineering workstations, look for abnormal usage of OpenSSL commands which might indicate exploitation attempts against CVE-2025-15467.
Type
Network Traffic Pattern
Value
Traffic patterns matching known exploits for OpenSSL.
Description
Use IDS/IPS signatures to detect attempts to exploit the OpenSSL flaw against vulnerable Siemens devices.

Detection Methods

  1. OT Asset Inventory: Maintain a detailed, up-to-date inventory of all OT assets, including firmware versions, to quickly identify which devices are affected by these advisories.
  2. OT Network Monitoring: Deploy an OT-aware network security monitoring solution that can passively analyze industrial protocols (e.g., S7, Modbus, DNP3) to detect anomalous commands or traffic patterns. This aligns with D3FEND's Network Traffic Analysis (D3-NTA).
  3. Vulnerability Scanning: Use passive or carefully managed active vulnerability scanners designed for OT environments to identify unpatched systems.

Remediation Steps

Patching in OT environments requires careful planning to avoid operational disruption.

  1. Risk-Based Patching: Assess the risk of each vulnerability in the context of your specific environment. Prioritize patching for devices that are internet-exposed or on the IT/OT boundary. Apply patches during scheduled maintenance windows. This is an application of D3FEND's Software Update (D3-SU).
  2. Network Segmentation: If patching is not immediately feasible, strengthen network segmentation as a compensating control. Use firewalls to restrict access to vulnerable devices, allowing only authorized systems to communicate with them. This is a critical use of D3FEND's Network Isolation (D3-NI).
  3. Vendor Guidance: Follow the specific mitigation advice provided in the advisories from Siemens, Schneider Electric, and Phoenix Contact. They may provide workarounds or configuration changes that can reduce risk until a patch can be applied.

Timeline of Events

1
June 10, 2026
Siemens, Schneider Electric, and Phoenix Contact release their June 2026 security advisories for ICS products.
2
June 10, 2026
This article was published

MITRE ATT&CK Mitigations

Network Segmentation

M0930ics

Implement strict network segmentation between IT and OT networks, and within the OT network itself, to limit the impact of a compromise.

Update Software

M0916ics

Apply vendor patches in a timely manner, following a risk-based approach and during planned maintenance windows.

Filter Network Traffic

M0937ics

Use firewalls to restrict communication to and from ICS devices to only what is required for normal operations.

D3FEND Defensive Countermeasures

Network Isolation

D3-NIMaps to MITREM1030
D3FEND

For OT environments, robust network segmentation is the most critical compensating control, especially when immediate patching isn't feasible. Asset owners should ensure that vulnerable devices like the Siemens Siprotec 5 relays or Schneider PowerLogic controllers are located in secure network segments, isolated from the corporate IT network by a properly configured firewall (an industrial DMZ). All traffic between IT and OT should be denied by default, with specific, narrow rules to allow only essential communication. This prevents an attacker who has compromised the IT network from easily pivoting to the OT environment to exploit these vulnerabilities.

Software Update

D3-SUMaps to MITREM1051
D3FEND

Asset owners must have a defined and practiced process for OT patch management. For the vulnerabilities disclosed by Siemens, Schneider, and Phoenix Contact, organizations should review the advisories, assess the risk to their specific operations, and schedule patching during the next available maintenance window. For the critical OpenSSL flaw (CVE-2025-15467) affecting numerous Siemens products, prioritization is key. Focus on devices at the network perimeter or those that are most critical to the industrial process first. A well-maintained asset inventory is crucial for quickly identifying all affected devices.

Network Traffic Analysis

D3-NTAMaps to MITREM1031
D3FEND

Deploy a passive OT security monitoring solution to gain visibility into the industrial network. These tools can identify vulnerable devices without active scanning and can detect exploitation attempts in real-time. For example, the tool could alert on anomalous commands sent to a Schneider RTU, unexpected firmware download attempts to a Phoenix Contact EV charger, or traffic patterns matching an exploit for the OpenSSL vulnerability targeting a Siemens device. This provides a crucial detection layer for threats that bypass perimeter defenses.

Timeline of Events

1
June 10, 2026

Siemens, Schneider Electric, and Phoenix Contact release their June 2026 security advisories for ICS products.

Sources & References

ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Phoenix Contact
SecurityWeek (securityweek.com) June 10, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

ICSOTPatch TuesdaySiemensSchneider ElectricVulnerabilityCritical Infrastructure

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.