351,655
CVEs Indexed
1,601
Actively Exploited
47,136
Critical Severity
171
KEV — No Patch
+34%
CVE Growth YoY
5.5yr
Avg KEV Age

Executive Summary

The industrial control system and operational technology security landscape reached a critical inflection point in 2026. This report analyzes 351,655 CVEs indexed by the BreachSpider platform — the most comprehensive ICS/OT vulnerability dataset available to the commercial market.

🚨 Critical Finding: CVE volume is accelerating — 26,964 new vulnerabilities published in the first 5 months of 2026 alone, a 34% increase over the same period in 2025. At current pace, 2026 will exceed 64,000 CVEs — a new record.
🚨 Critical Finding: 67% of actively exploited vulnerabilities are more than 3 years old. The average KEV vulnerability is 2,007 days old — 5.5 years. Attackers are winning with old weapons against unpatched infrastructure.
🚨 Critical Finding: 171 CISA KEV vulnerabilities have no available patch. Standard patch management cannot remediate these — compensating controls and virtual patches are the only path.
⚠ Warning: 78.3% of high and critical CVEs are network-exploitable — remote attackers require no physical access to your plant floor.

CVE Volume: The Acceleration Problem

CVE volume has grown 174% since 2017, with no sign of deceleration. The 2026 trajectory, if sustained, will set a new annual record.

YearCVEs PublishedYoY Change
201718,112
202019,213+1.6%
202226,425+20.4%
202440,589+31.3%
202549,575+22.1%
2026 (Jan–May)26,964+34% vs same period 2025

ICS/OT Vendor Vulnerability Analysis

The following covers eleven major ICS/OT vendors — the manufacturers whose products operate critical infrastructure globally.

VendorCVEsCriticalKEVAvg CVSSNet-Exploit Critical
Siemens5,283464506.97462
Rockwell Automation681140457.75137
Mitsubishi Electric2105607.7156
Honeywell1744867.7348
Bosch1172307.6422
Emerson912007.5320
Omron911407.4514
Yokogawa672007.9220

Rockwell Automation — Highest KEV Rate of Any ICS Vendor

With 45 KEV entries across 681 total CVEs, Rockwell Automation has a KEV rate of 6.6% — the highest of any major ICS vendor and 14x the global average of 0.46%. 1 in 15 Rockwell vulnerabilities is confirmed actively exploited. Average CVSS 7.75 — highest among all ICS vendors analyzed.

Siemens — Largest Absolute Attack Surface

5,283 CVEs — more than 7x the nearest ICS competitor. 462 of the 464 critical CVEs are network-exploitable. Siemens ranks 14th globally by CVE count, on par with Adobe and Cisco. Any organization running SIMATIC, SINEMA, SCALANCE, or WinCC should treat this as the highest priority remediation workstream.

CISA KEV: The Active Exploitation Crisis

KEV AgeCountPercentage
Published < 1 year ago16110.1%
Published 1–3 years ago35622.2%
Published > 3 years ago1,08467.7%

The average actively exploited vulnerability is 2,007 days old at the time of this analysis. The oldest KEV entry dates to 2002 — a 24-year-old vulnerability still being actively exploited in 2026.

Attack Surface: 78% Network-Exploitable

Among all high and critical CVEs (CVSS 7.0+): 132,321 (78.3%) require only network access. 33,304 (19.7%) require local access. Only 76 (0.04%) require physical presence. The assumption that physical perimeters protect OT is demonstrably false against this vulnerability landscape.

Top Weakness Classes in ICS/OT Context

CWEWeaknessHigh/Crit CVEs
CWE-89SQL Injection16,623
CWE-787Out-of-Bounds Write11,403
CWE-119Improper Memory Buffer Operations10,740
CWE-20Improper Input Validation6,458
CWE-78OS Command Injection5,095
CWE-22Path Traversal5,060

Recommendations

Immediate (0–30 days):

  1. Audit all 1,601 CISA KEV vulnerabilities against your asset inventory — confirmed active exploitation, start here
  2. Deploy virtual patches (Suricata/Snort) for the 171 KEV entries with no patch — network-level detection is the only compensating control
  3. Prioritize Rockwell Automation exposure — 6.6% KEV rate, highest CVSS of any ICS vendor
  4. Identify all network-accessible ICS assets — 78% of critical CVEs require only network access

Short-term (30–90 days):

  1. Implement continuous vulnerability monitoring — 26,964 new CVEs in 5 months makes manual tracking impossible
  2. Establish a vulnerability age policy — if CVEs age past 90 days without compensating controls, your program has a structural gap
  3. Assess Siemens SIMATIC, SCALANCE, SINEMA platforms — 462 network-exploitable critical CVEs
Monitor Your ICS/OT Exposure in Real Time

BreachSpider indexes all 351,655 CVEs with SAGE AI enrichment, virtual patches, and NERC-CIP mapping. Get alerted within 15 minutes of a new vulnerability affecting your vendors.

Search Free Now View Pricing

Methodology

Data sourced from NVD, CISA KEV catalog, Zero Day Initiative, and vendor PSIRT feeds. All CVE data normalized via the BreachSpider CPE pipeline. CVSS scores represent highest available version (v4 > v3.1 > v2). Analysis as of May 25, 2026.

SAGE (Sovereign AI Governance Engine) is a proprietary enrichment system developed by CITED Relevance LLC. USPTO Provisional Patent Application 64/015,948.