SEV2 — MajorCLOSEDCyber✓ Corroborated · 3 sources10d ago

Critical Cyber Alerts: StoneFly Storage Concentrator and FUXA SCADA/HMI Vulnerabilities — Dallas-Fort Worth Operations Hub

Two Sev-10 sentinel alerts have fired in Dallas-Fort Worth targeting StoneFly Storage Concentrator and Frangoteam FUXA SCADA/HMI systems — both carrying maximum severity scores and representing distinct attack surfaces across storage infrastructure and industrial control/HMI layers. While no corroborating news coverage has emerged yet (suggesting these may be sensor-level detections rather than confirmed breaches), DFW hosts nearly 790,000 combined contact-center, back-office, and knowledge-worker seats, making any infrastructure-layer compromise operationally significant. Operations leaders should verify with IT/security whether affected systems are present in the environment, cross-reference with the active SimpleHelp RCE incident already open for DFW, and assess whether these alerts share lateral movement indicators or represent a broadening threat campaign.

Impact Summary

Two Sev-10 sentinel alerts have fired in Dallas-Fort Worth targeting StoneFly Storage Concentrator and Frangoteam FUXA SCADA/HMI systems — both carrying maximum severity scores and representing distinct attack surfaces across storage infrastructure and industrial control/HMI layers. While no corroborating news coverage has emerged yet (suggesting these may be sensor-level detections rather than confirmed breaches), DFW hosts nearly 790,000 combined contact-center, back-office, and knowledge-worker seats, making any infrastructure-layer compromise operationally significant. Operations leaders should verify with IT/security whether affected systems are present in the environment, cross-reference with the active SimpleHelp RCE incident already open for DFW, and assess whether these alerts share lateral movement indicators or represent a broadening threat campaign.

Domain
Cyber
Region
Dallas-Fort Worth, US, US
Opened By
watchkeeper
Jul 1, 2026, 08:00 PM UTC
Event Cluster
2 events
OVIX Score
10.0
Closed
watchkeeper-auto(resolved)
Jul 5, 2026, 08:30 PM UTC

Timeline6

Incident openedby watchkeeperJul 1, 2026, 08:00 PM UTC
Declared from 2 signals. OVIX 10. News 3. BPO 3. High-confidence (auto).
Note addedby watchkeeperJul 1, 2026, 08:00 PM UTC
External corroboration: corroborated (3 sources via Exa). chemical-facility-security-news.blogspot.com, radar.offseq.com, securityonline.info
Revalidatedby watchkeeperJul 2, 2026, 08:30 PM UTC
Revalidated: no new activity. Next reval in 24h.
Revalidatedby watchkeeperJul 3, 2026, 08:30 PM UTC
Revalidated: 1 new signal(s) recorded, no material-clock advance (agents-019 §C). Next reval in 24h.
Revalidatedby watchkeeperJul 4, 2026, 09:00 PM UTC
Revalidated: 1 new signal(s) recorded, no material-clock advance (agents-019 §C). Next reval in 24h.
Incident closedby watchkeeperJul 5, 2026, 08:30 PM UTC
Auto-closed: no new material events within 4d for this incident.

Evidence / Why this?

Traced to source — read-onlyUpdated Jul 1, 08:00 PM UTC
Why declareddeclareHybrid
Incident declaration (deterministic floor + LLM relevance gate)v1
DECLARE when deterministicFloor AND (llm.declare OR acuteWeatherFloor) AND NOT aggregateTitle, and no open same-domain incident merges it. deterministicFloor = maxSeverity>=8 AND (newsScore>=1 OR bpoScore>=1 OR acuteWeatherFloor). acuteWeatherFloor = maxSeverity>=9 AND any signal is an acute severe-weather WARNING (tornado/severe-thunderstorm/flash-flood) — overrides the LLM footprint-based suppression. aggregateTitle (grab-bag "Multiple/Several/Various…") is refused (agents-019 §D). Asset-class deny (military/war-zone, WFM-37) suppresses earlier. cyberFloor disabled (agents-009 hotfix).
domain
cyber
regions
["Dfw"]
bpo score
3
news score
3
llm declare
yes
max severity
10
signal count
2
llm rationale
Declaring true: DFW has one of the highest-density operations footprints in scope, both alerts carry maximum severity on distinct infrastructure components (storage and SCADA/HMI), and while unconfirmed by news, the combination of two Sev-10 signals in the same hub — alongside an already-open cyber incident — warrants escalation for verification rather than suppression.
aggregate title
no
high confidence
yes
acute weather floor
no
deterministic floor
yes
model claude-sonnet-4-6 · prompt watchkeeper-declare-2026-06
Why SEV2SEV2score 2Deterministic
Incident severity level (SEV1–SEV4) at declarationv1
Base: SEV2 if sev>=9 AND news>=2 AND bpo>=1; else SEV3 if sev>=8 AND (news>=1 OR bpo>=1); else SEV4. Acute severe-weather (agents-028): if sev>=9 floor to SEV3 (SEV2→SEV3); minor/transient watches+advisories drop SEV2/SEV3→SEV4. Single-event cap: any SEV2 caps to SEV3 absent sustained multi-day BPO-region corroboration (SEV2 promotion is human-gated via revalidation). score = numeric SEV (1=most severe … 4); SEV3/SEV4 auto-validate, SEV1/SEV2 require human validation.
domain
cyber
bpo score
3
news score
3
persistent
no
max severity
10
auto validated
no
acute weather floor
no
Geo Provenance
Tierapprox
Sourcenone
Deterministic

Related Signals20

[Dfw] cyber 10.0 — ST Engineering iDirect iQ-Series Terminalssentinel6d ago[Dfw] cyber 10.0 — OFFIS DCMTK Toolkitsentinel6d ago[Dfw] cyber 10.0 — XZ Utils vulnerability impacting B&R Productssentinel6d ago[Dfw] cyber 10.0 — Frangoteam FUXA SCADA/HMIsentinel6d ago[Dfw] cyber 10.0 — XZ Utils vulnerability impacting B&R Productssentinel6d ago[Dfw] cyber 10.0 — StoneFly Storage Concentratorsentinel6d ago[Dfw] cyber 10.0 — CubeSpace CW0057 Reaction Wheelsentinel7d ago[Dfw] cyber 10.0 — OFFIS DCMTK Toolkitsentinel7d ago[Dfw] cyber 10.0 — OFFIS DCMTK Toolkitsentinel7d ago[Dfw] cyber 10.0 — Gardyn IoT Hubsentinel7d ago[Dfw] cyber 10.0 — Frangoteam FUXA SCADA/HMIsentinel8d ago[Dfw] cyber 10.0 — CubeSpace CW0057 Reaction Wheelsentinel8d ago[Dfw] cyber 10.0 — StoneFly Storage Concentratorsentinel8d ago[Dfw] cyber 10.0 — Gardyn IoT Hubsentinel8d ago[Dfw] cyber 10.0 — StoneFly Storage Concentratorsentinel8d ago[Dfw] cyber 10.0 — Gardyn IoT Hubsentinel8d ago[Dfw] cyber 10.0 — StoneFly Storage Concentratorsentinel8d ago[Dfw] cyber 10.0 — CubeSpace CW0057 Reaction Wheelsentinel9d ago[Dfw] cyber 10.0 — XZ Utils vulnerability impacting B&R Productssentinel9d ago[Dfw] cyber 10.0 — H.VIEW HV-500S6 IP Camerasentinel9d ago

External Corroboration

✓ Corroborated · 3 sourcesChecked Jul 1, 2026, 08:00 PM UTC
Chemical Facility Security News: Review – 8 Advisories Published – 6-30-26chemical-facility-security-news.blogspot.comJul 1, 2026, 10:26 PM UTCCVE-2026-56415: CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection') in Stonefly Storage Concentrator - Live Threat Intelligence - Threat Radar | OffSeq.comradar.offseq.comJun 30, 2026, 10:40 PM UTCRockwell Automation Vulnerabilities: FactoryTalk, FLEX I/Osecurityonline.infoJun 19, 2026, 12:33 AM UTC

Affected Regions

Dfw