<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Disclosures on north-echo</title><link>https://northecho.dev/disclosures/</link><description>Recent content in Disclosures on north-echo</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Mon, 13 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://northecho.dev/disclosures/index.xml" rel="self" type="application/rss+xml"/><item><title>OpENer GetAttributeList — Out-of-Bounds Read and Stack Response Overflow</title><link>https://northecho.dev/disclosures/vu-838758-opener-getattributelist/</link><pubDate>Mon, 13 Jul 2026 00:00:00 +0000</pubDate><guid>https://northecho.dev/disclosures/vu-838758-opener-getattributelist/</guid><description>An unauthenticated attacker can send a single crafted GetAttributeList request that reads past the request buffer and corrupts stack-based response assembly in OpENer, reaching a stack-disclosure primitive under ASAN.</description></item><item><title>OpENer SetAttributeSingle — Truncated Write Accepted and Applied to Live State</title><link>https://northecho.dev/disclosures/vu-982645-opener-setattributesingle/</link><pubDate>Mon, 13 Jul 2026 00:00:00 +0000</pubDate><guid>https://northecho.dev/disclosures/vu-982645-opener-setattributesingle/</guid><description>OpENer accepts SetAttributeSingle requests with zero- or partial-byte payloads, applies the truncated value to live device state, and reports success — an unauthenticated integrity bug that crash-oriented fuzzing can&amp;rsquo;t see.</description></item><item><title>Breaking Down the Substation: Four Vulnerabilities in Siemens SICAM S8000 (SSA-229470)</title><link>https://northecho.dev/disclosures/sicam-s8000-ssa-229470/</link><pubDate>Thu, 09 Jul 2026 00:00:00 +0000</pubDate><guid>https://northecho.dev/disclosures/sicam-s8000-ssa-229470/</guid><description>Four coordinated-disclosure vulnerabilities in Siemens SICAM S8000 — RBAC bypass, a firmware signature bypass, insecure OPC UA defaults, and a debug-interface DoS — fixed in V26.20 and published as SSA-229470.</description></item></channel></rss>