SEV2 — MajorCLOSEDCyber✓ Corroborated · 4 sources10d ago

Critical Cyber Alerts: StoneFly Storage and FUXA SCADA/HMI Vulnerabilities Detected in Des Moines

Two simultaneous Severity 10 sentinel alerts have fired in Des Moines, targeting StoneFly Storage Concentrator and Frangoteam FUXA SCADA/HMI systems — both classes of infrastructure that could underpin data storage and operational technology controls within large knowledge-worker and contact-center environments. Des Moines carries a meaningful operations footprint (~55,950 knowledge-worker seats, ~22,410 back-office seats, ~11,270 contact-center seats), and while no corroborating news coverage exists, the co-occurrence of two max-severity alerts on distinct system types warrants verification that these vulnerabilities are not active on in-house or outsourced site infrastructure. Operations leaders should confirm with local IT/security whether either product is deployed at Des Moines sites and assess patching or isolation status immediately.

Impact Summary

Two simultaneous Severity 10 sentinel alerts have fired in Des Moines, targeting StoneFly Storage Concentrator and Frangoteam FUXA SCADA/HMI systems — both classes of infrastructure that could underpin data storage and operational technology controls within large knowledge-worker and contact-center environments. Des Moines carries a meaningful operations footprint (~55,950 knowledge-worker seats, ~22,410 back-office seats, ~11,270 contact-center seats), and while no corroborating news coverage exists, the co-occurrence of two max-severity alerts on distinct system types warrants verification that these vulnerabilities are not active on in-house or outsourced site infrastructure. Operations leaders should confirm with local IT/security whether either product is deployed at Des Moines sites and assess patching or isolation status immediately.

Domain
Cyber
Region
Des Moines, US, US
Opened By
watchkeeper
Jul 1, 2026, 08:00 PM UTC
Event Cluster
2 events
OVIX Score
10.0
Closed
watchkeeper-auto(resolved)
Jul 5, 2026, 08:30 PM UTC

Timeline6

Incident openedby watchkeeperJul 1, 2026, 08:00 PM UTC
Declared from 2 signals. OVIX 10. News 3. BPO 1. High-confidence (auto).
Note addedby watchkeeperJul 1, 2026, 08:00 PM UTC
External corroboration: corroborated (4 sources via Exa). cisa.gov, chemical-facility-security-news.blogspot.com, radar.offseq.com, cybernoz.com
Revalidatedby watchkeeperJul 2, 2026, 08:30 PM UTC
Revalidated: no new activity. Next reval in 24h.
Revalidatedby watchkeeperJul 3, 2026, 08:30 PM UTC
Revalidated: no new activity. Next reval in 24h.
Revalidatedby watchkeeperJul 4, 2026, 09:00 PM UTC
Revalidated: no new activity. Next reval in 24h.
Incident closedby watchkeeperJul 5, 2026, 08:30 PM UTC
Auto-closed: no new material events within 4d for this incident.

Evidence / Why this?

Traced to source — read-onlyUpdated Jul 1, 08:00 PM UTC
Why declareddeclareHybrid
Incident declaration (deterministic floor + LLM relevance gate)v1
DECLARE when deterministicFloor AND (llm.declare OR acuteWeatherFloor) AND NOT aggregateTitle, and no open same-domain incident merges it. deterministicFloor = maxSeverity>=8 AND (newsScore>=1 OR bpoScore>=1 OR acuteWeatherFloor). acuteWeatherFloor = maxSeverity>=9 AND any signal is an acute severe-weather WARNING (tornado/severe-thunderstorm/flash-flood) — overrides the LLM footprint-based suppression. aggregateTitle (grab-bag "Multiple/Several/Various…") is refused (agents-019 §D). Asset-class deny (military/war-zone, WFM-37) suppresses earlier. cyberFloor disabled (agents-009 hotfix).
domain
cyber
regions
["Des Moines"]
bpo score
1
news score
3
llm declare
yes
max severity
10
signal count
2
llm rationale
Declaring true: two concurrent Sev 10 alerts targeting distinct critical infrastructure product types (storage and SCADA/HMI) in a metro with a confirmed, material operations footprint exceed the noise threshold despite absent news coverage, and are not duplicative of any open incident.
aggregate title
no
high confidence
yes
acute weather floor
no
deterministic floor
yes
model claude-sonnet-4-6 · prompt watchkeeper-declare-2026-06
Why SEV2SEV2score 2Deterministic
Incident severity level (SEV1–SEV4) at declarationv1
Base: SEV2 if sev>=9 AND news>=2 AND bpo>=1; else SEV3 if sev>=8 AND (news>=1 OR bpo>=1); else SEV4. Acute severe-weather (agents-028): if sev>=9 floor to SEV3 (SEV2→SEV3); minor/transient watches+advisories drop SEV2/SEV3→SEV4. Single-event cap: any SEV2 caps to SEV3 absent sustained multi-day BPO-region corroboration (SEV2 promotion is human-gated via revalidation). score = numeric SEV (1=most severe … 4); SEV3/SEV4 auto-validate, SEV1/SEV2 require human validation.
domain
cyber
bpo score
1
news score
3
persistent
no
max severity
10
auto validated
no
acute weather floor
no
Geo Provenance
Tiercentroid
Sourcegeo_density
Deterministic

Related Signals20

[Des Moines] cyber 10.0 — ST Engineering iDirect iQ-Series Terminalssentinel6d ago[Des Moines] cyber 10.0 — OFFIS DCMTK Toolkitsentinel6d ago[Des Moines] cyber 10.0 — XZ Utils vulnerability impacting B&R Productssentinel6d ago[Des Moines] cyber 10.0 — Frangoteam FUXA SCADA/HMIsentinel6d ago[Des Moines] cyber 10.0 — XZ Utils vulnerability impacting B&R Productssentinel6d ago[Des Moines] cyber 10.0 — StoneFly Storage Concentratorsentinel6d ago[Des Moines] cyber 10.0 — OFFIS DCMTK Toolkitsentinel6d ago[Des Moines] cyber 10.0 — CubeSpace CW0057 Reaction Wheelsentinel7d ago[Des Moines] cyber 10.0 — OFFIS DCMTK Toolkitsentinel7d ago[Des Moines] cyber 10.0 — OFFIS DCMTK Toolkitsentinel7d ago[Des Moines] cyber 10.0 — OFFIS DCMTK Toolkitsentinel7d ago[Des Moines] cyber 10.0 — ST Engineering iDirect iQ-Series Terminalssentinel7d ago[Des Moines] cyber 10.0 — XZ Utils vulnerability impacting B&R Productssentinel7d ago[Des Moines] cyber 10.0 — Gardyn IoT Hubsentinel7d ago[Des Moines] cyber 10.0 — Frangoteam FUXA SCADA/HMIsentinel8d ago[Des Moines] cyber 10.0 — CubeSpace CW0057 Reaction Wheelsentinel8d ago[Des Moines] cyber 10.0 — StoneFly Storage Concentratorsentinel8d ago[Des Moines] cyber 10.0 — Gardyn IoT Hubsentinel8d ago[Des Moines] cyber 10.0 — StoneFly Storage Concentratorsentinel8d ago[Des Moines] cyber 10.0 — XZ Utils vulnerability impacting B&R Productssentinel8d ago

External Corroboration

✓ Corroborated · 4 sourcesChecked Jul 1, 2026, 08:00 PM UTC
Frangoteam FUXA SCADA/HMI - ICS Advisories - CISAcisa.govJun 30, 2026, 08:00 PM UTCChemical Facility Security News: Review – 8 Advisories Published – 6-30-26chemical-facility-security-news.blogspot.comJul 1, 2026, 10:26 PM UTCCVE-2026-56413: CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection') in StoneFly Storage Concentrator - Live Threat Intelligence - Threat Radar | OffSeq.comradar.offseq.comJun 30, 2026, 10:50 PM UTCRockwell Automation Patches Vulnerabilities in ICS Controllers and Software - Cybernozcybernoz.comJun 18, 2026, 05:20 AM UTC

Affected Regions

Des Moines