THE ICS Advisory ICSA-26-190-01, released on July 9, 2026, addresses a critical vulnerability in OpenPLC v3. This vulnerability (CVE-2026-14480) allows authenticated attackers to write arbitrary files to the filesystem, which can escalate to native code execution when certain compilation processes are triggered. The affected version is OpenPLC v3, which has a CVSS score of 9.9, classified as critical. Users are advised to upgrade to OpenPLC v4 as OpenPLC v3 is end-of-life and no longer receives updates.
CISA recommends minimizing network exposure of control systems, implementing secure remote access, and following cybersecurity best practices.