IN a 5 February 2026 update, CISA has issued alerts for two critical infrastructure devices from Avation and RISS SRL, both suffering the same flaw and with the vendors silent on coordination requests. The advisories warn of high-severity vulnerabilities that could allow attackers to bypass security controls and take control or disrupt monitoring systems, effectively leaving the front door unlocked.
The most severe alert concerns the Avation Light Engine Pro (CVE-2026-1341) with a CVSS score of 9.8, described as exposing its configuration and control interface without any authentication or access control. The second alert targets the MOMA Seismic Station (CVE-2026-1632), which has a CVSS score of 9.1 and affects version v2.4.2520 and prior, noting that it also exposes its web management interface without requiring authentication.
In both cases, CISA notes that RISS SRL and Avation have not responded to requests for coordination, and the agency urges isolating these devices behind strict firewalls and VPNs. According to Cybersecurity and Infrastructure Security Agency (CISA).