iot security

CISA on June 11, 2026, published an industrial control systems advisory for Naxclow IoT Platform products used worldwide, warning that Smart Doorbell X3, X Smart Home, V720, and ix cam versions are affected by critical vulnerabilities rated CVSS 9.8. The headline is not merely that another...

CISA published an industrial-control security advisory on June 11, 2026, warning that Yarbo’s Android and iOS mobile apps and cloud MQTT infrastructure exposed hard-coded credentials and weak authorization that could let attackers view fleet telemetry and potentially send robot commands. The...

CISA published ICS advisory ICSA-26-148-06 on May 28, 2026, warning that KMW CCTV security cameras are vulnerable to a critical unauthenticated password-reset flaw that can let a remote attacker set the administrator password to a known value and take over camera feeds and settings. The bug is...

Milesight Cameras are back in the security spotlight with a sprawling CISA advisory that ties five CVE families to a wide range of AIoT, LPR, and network camera product lines, many of them still running firmware branches that can be exploited for device crashes or full remote code execution...

Microsoft has recorded a new information‑disclosure vulnerability in Azure IoT Explorer that can expose sensitive data over the network when the tool's authentication checks for a critical function are missing or insufficient — the issue is tracked as CVE‑2026‑23662 and was published alongside...

Microsoft and independent trackers have logged a new information‑disclosure vulnerability affecting Azure IoT Explorer, tracked as CVE‑2026‑23661, that allows cleartext transmission of sensitive information and carries a high severity rating (CVSS 3.1 base score 7.5), creating an urgent...

A newly documented vulnerability affecting the Gardyn Home Kit family of smart indoor gardens puts a critical piece of device authentication — the Azure IoT Hub connection string — at risk by delivering it over an insecure HTTP channel, enabling straightforward Man‑in‑the‑Middle (MITM)...

EnOcean SmartServer IoT installations worldwide are being urged to update immediately after CISA published an advisory on February 19, 2026 identifying two serious vulnerabilities—CVE-2026-20761 and CVE-2026-22885—that affect SmartServer IoT releases up to and including 4.60.009. These flaws...

The problem turned out to be embarrassingly domestic: noisy, streaming smart‑TVs behaving like overenthusiastic network clients were triggering a series of router log entries — flagged as “Possible DNS rebind attack” — and causing intermittent Wi‑Fi dropouts across an otherwise healthy home...

The Azure IoT ecosystem has a new critical warning that demands immediate attention from IoT operators, cloud teams, and security practitioners: CVE-2024-21646 is a remotely exploitable vulnerability in the Azure uAMQP C library that can lead to remote code execution (RCE) on devices and...

Microsoft has assigned CVE‑2026‑21528 to an information disclosure vulnerability in Azure IoT Explorer — a client tool used to inspect and interact with devices attached to IoT Hubs — but the public advisory provides only a terse listing and a vendor “confidence” metadata entry rather than a...

A high-severity asuthorization bypass affecting Hubitat Elevation hubs — tracked as CVE-2026-1201 — was published in a CISA coordination notice on January 22, 2026; the issue allows a remote, authenticated user to escalate control beyond their authorized scope by manipulating client-side request...

YoSmart’s YoLink ecosystem has been the subject of a coordinated security disclosure: multiple vulnerabilities affecting the YoSmart cloud server, YoLink Smart Hub firmware, and the YoLink mobile application were reported and—per the vendor and independent researchers—have been addressed through...

CISA has added a high‑risk Sierra Wireless AirLink vulnerability, CVE‑2018‑4063, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation — a move that forces federal agencies to accelerate remediation under BOD 22‑01 and should prompt immediate action by any...

Microsoft’s Azure platform successfully detected and neutralized a record-breaking distributed denial-of-service (DDoS) attack in late October, a multi-vector assault that peaked at 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps) — the largest single cloud-based...

The recently published advisory for the Shelly Pro 4PM — tracked as CVE‑2025‑11243 — warns that a malformed JSON request to the device’s RPC endpoints can cause the internal JSON parser to over‑allocate memory, trigger a reboot, and produce a denial‑of‑service (DoS) condition; CISA’s advisory...

Brightpick Mission Control’s control-plane interfaces expose a cluster of high-risk flaws that let unauthenticated actors read secrets and directly manipulate robot orchestration — a dangerous combination for warehouses relying on autonomous picking fleets. Overview Brightpick AI’s warehouse...

CloudEdge users and administrators should treat a freshly publicized vulnerability affecting the CloudEdge mobile app and CloudEdge‑managed cameras as an urgent operational risk: the flaw permits remote attackers to harvest credentials and camera connection keys by abusing MQTT topic handling...

Two newly disclosed, high‑severity flaws in the Viessmann Vitogate 300 — tracked as CVE‑2025‑9494 and CVE‑2025‑9495 — expose widely deployed gateway devices to OS command injection and client‑side authentication bypass vulnerabilities, creating realistic paths to full device compromise for...

Daikin’s Security Gateway is affected by a critical pre‑authentication password‑reset flaw that lets an unauthenticated attacker reset device credentials to the factory default and take control of the appliance and any connected systems — the issue is tracked as CVE‑2025‑10127 and rated highly...