A critical vulnerability tracked as CVE-2026-45123 with a CVSS score of 9.8 has been disclosed in a widely-used industrial VPN appliance, exposing energy, manufacturing, and critical infrastructure organizations to unauthenticated remote code execution attacks.
The flaw allows remote attackers to execute arbitrary code with root privileges on affected devices without any authentication. Security researchers have identified over 15,000 exposed devices on Shodan, and exploitation attempts have already been detected in the wild.
Critical Infrastructure at Risk
Industrial VPN appliances are widely deployed in operational technology (OT) environments to provide remote access to industrial control systems (ICS), programmable logic controllers (PLCs), and other critical infrastructure components. The vulnerability undermines the security of these remote access gateways, potentially allowing attackers to pivot from IT networks into OT environments.
Energy sector organizations are particularly vulnerable, as these appliances commonly provide remote access to power grid management systems, pipeline monitoring equipment, and generation facility controls. Manufacturing firms face similar risks, with exposed VPN gateways providing potential entry points to production line management systems.
Active Exploitation
Threat intelligence teams have observed exploitation attempts targeting the vulnerability within days of public disclosure. Attackers are scanning for exposed devices and deploying webshells to maintain persistent access. Organizations with unpatched devices should treat them as compromised until proven otherwise.
Mitigation Steps
- Apply vendor patches immediately on all affected industrial VPN appliances
- Remove devices from public internet exposure where possible
- Implement network segmentation between IT and OT environments
- Deploy virtual patching through web application firewalls
- Monitor for unauthorized access to industrial VPN management interfaces
- Conduct forensic analysis on any exposed devices for signs of compromise
