SEV3 — ElevatedCLOSEDCyber✓ Corroborated · 4 sources10d ago

Critical Cyber Alerts on StoneFly Storage and FUXA SCADA/HMI Systems — Colorado Springs

Two severity-10 sentinel alerts have fired in Colorado Springs targeting StoneFly Storage Concentrator and Frangoteam FUXA SCADA/HMI systems — both critical infrastructure components that could affect data availability and operational technology environments. Colorado Springs carries a meaningful knowledge-worker and back-office footprint (~60,000+ seats combined), and a compromise of storage or SCADA/HMI layers could disrupt site operations, data access, or building systems at affected facilities. There is no corroborating news coverage at this time, suggesting these may be automated vulnerability or exploitation alerts rather than confirmed breaches, but the maximum severity score warrants immediate validation with local IT/security teams.

Impact Summary

Two severity-10 sentinel alerts have fired in Colorado Springs targeting StoneFly Storage Concentrator and Frangoteam FUXA SCADA/HMI systems — both critical infrastructure components that could affect data availability and operational technology environments. Colorado Springs carries a meaningful knowledge-worker and back-office footprint (~60,000+ seats combined), and a compromise of storage or SCADA/HMI layers could disrupt site operations, data access, or building systems at affected facilities. There is no corroborating news coverage at this time, suggesting these may be automated vulnerability or exploitation alerts rather than confirmed breaches, but the maximum severity score warrants immediate validation with local IT/security teams.

Domain
Cyber
Region
Colorado Springs, US, US
Opened By
watchkeeper
Jul 1, 2026, 08:00 PM UTC
Validated By
auto
Jul 1, 2026, 08:00 PM UTC
Event Cluster
4 events
OVIX Score
10.0
Closed
watchkeeper-auto(resolved)
Jul 3, 2026, 10:30 PM UTC

Timeline7

Incident openedby watchkeeperJul 1, 2026, 08:00 PM UTC
Declared from 2 signals. OVIX 10. News 0. BPO 1. LLM-confirmed.
Severity validatedby autoJul 1, 2026, 08:00 PM UTC
Auto-validated: SEV3 per policy.
Note addedby watchkeeperJul 1, 2026, 08:01 PM UTC
External corroboration: corroborated (4 sources via Exa). cisa.gov, chemical-facility-security-news.blogspot.com, radar.offseq.com, socdefenders.ai
Note addedby watchkeeperJul 2, 2026, 02:30 AM UTC
Merged new cluster (2 signals, OVIX 10) — same domain, active <24h.
Note addedby watchkeeperJul 2, 2026, 10:30 AM UTC
Merged new cluster (2 signals, OVIX 10) — same domain, active <24h.
Revalidatedby watchkeeperJul 3, 2026, 08:30 PM UTC
Revalidated: 1 new signal(s) recorded, no material-clock advance (agents-019 §C). Next reval in 48h.
Incident closedby watchkeeperJul 3, 2026, 10:30 PM UTC
Auto-closed: no new material events within 36h for this incident.

Evidence / Why this?

Traced to source — read-onlyUpdated Jul 1, 08:01 PM UTC
Why declareddeclareHybrid
Incident declaration (deterministic floor + LLM relevance gate)v1
DECLARE when deterministicFloor AND (llm.declare OR acuteWeatherFloor) AND NOT aggregateTitle, and no open same-domain incident merges it. deterministicFloor = maxSeverity>=8 AND (newsScore>=1 OR bpoScore>=1 OR acuteWeatherFloor). acuteWeatherFloor = maxSeverity>=9 AND any signal is an acute severe-weather WARNING (tornado/severe-thunderstorm/flash-flood) — overrides the LLM footprint-based suppression. aggregateTitle (grab-bag "Multiple/Several/Various…") is refused (agents-019 §D). Asset-class deny (military/war-zone, WFM-37) suppresses earlier. cyberFloor disabled (agents-009 hotfix).
domain
cyber
regions
["Colorado Springs"]
bpo score
1
news score
0
llm declare
yes
max severity
10
signal count
2
llm rationale
Declaring true: dual Sev-10 alerts targeting distinct critical system types (storage concentrator and SCADA/HMI) in a region with substantial knowledge-worker and back-office operations density elevate this above routine CVE noise and warrant operations-leader awareness pending security team verification.
aggregate title
no
high confidence
no
acute weather floor
no
deterministic floor
yes
model claude-sonnet-4-6 · prompt watchkeeper-declare-2026-06
Why SEV3SEV3score 3Deterministic
Incident severity level (SEV1–SEV4) at declarationv1
Base: SEV2 if sev>=9 AND news>=2 AND bpo>=1; else SEV3 if sev>=8 AND (news>=1 OR bpo>=1); else SEV4. Acute severe-weather (agents-028): if sev>=9 floor to SEV3 (SEV2→SEV3); minor/transient watches+advisories drop SEV2/SEV3→SEV4. Single-event cap: any SEV2 caps to SEV3 absent sustained multi-day BPO-region corroboration (SEV2 promotion is human-gated via revalidation). score = numeric SEV (1=most severe … 4); SEV3/SEV4 auto-validate, SEV1/SEV2 require human validation.
domain
cyber
bpo score
1
news score
0
persistent
no
max severity
10
auto validated
yes
acute weather floor
no
Geo Provenance
Tiercentroid
Sourcegeo_density
Deterministic

Related Signals20

[Colorado Springs] cyber 10.0 — XZ Utils vulnerability impacting B&amp;R Productssentinel7d ago[Colorado Springs] cyber 10.0 — Gardyn IoT Hubsentinel7d ago[Colorado Springs] cyber 10.0 — Frangoteam FUXA SCADA/HMIsentinel8d ago[Colorado Springs] cyber 10.0 — CubeSpace CW0057 Reaction Wheelsentinel8d ago[Colorado Springs] cyber 10.0 — StoneFly Storage Concentratorsentinel8d ago[Colorado Springs] cyber 10.0 — Gardyn IoT Hubsentinel8d ago[Colorado Springs] cyber 10.0 — Gardyn IoT Hubsentinel8d ago[Colorado Springs] cyber 10.0 — XZ Utils vulnerability impacting B&amp;R Productssentinel8d ago[Colorado Springs] cyber 10.0 — Gardyn IoT Hubsentinel8d ago[Colorado Springs] cyber 10.0 — StoneFly Storage Concentratorsentinel8d ago[Colorado Springs] cyber 10.0 — XZ Utils vulnerability impacting B&amp;R Productssentinel8d ago[Colorado Springs] cyber 10.0 — CubeSpace CW0057 Reaction Wheelsentinel9d ago[Colorado Springs] cyber 10.0 — XZ Utils vulnerability impacting B&amp;R Productssentinel9d ago[Colorado Springs] cyber 10.0 — H.VIEW HV-500S6 IP Camerasentinel9d ago[Colorado Springs] cyber 10.0 — XZ Utils vulnerability impacting B&amp;R Productssentinel9d ago[Colorado Springs] cyber 10.0 — Daktronics Controller Firmwaresentinel9d ago[Colorado Springs] cyber 10.0 — H.VIEW HV-500S6 IP Camerasentinel9d ago[Colorado Springs] cyber 10.0 — EVoke Systems Charging Station Management Systemsentinel9d ago[Colorado Springs] cyber 10.0 — Horner Automation Cscapesentinel9d ago[Colorado Springs] cyber 10.0 — Frangoteam FUXA SCADA/HMIsentinel10d ago

External Corroboration

✓ Corroborated · 4 sourcesChecked Jul 1, 2026, 08:01 PM UTC
Frangoteam FUXA SCADA/HMI - ICS Advisories - CISAcisa.govJun 30, 2026, 08:01 PM UTCChemical Facility Security News: Review – 8 Advisories Published – 6-30-26chemical-facility-security-news.blogspot.comJul 1, 2026, 10:26 PM UTCCVE-2026-56413: CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection') in StoneFly Storage Concentrator - Live Threat Intelligence - Threat Radar | OffSeq.comradar.offseq.comJun 30, 2026, 10:50 PM UTCFrangoteam FUXA SCADA/HMI - SOC Defenderssocdefenders.aiJun 30, 2026, 11:01 PM UTC

Affected Regions

Colorado Springs