CVE-2026-1507
Published: 10 February 2026
Summary
CVE-2026-1507 is a high-severity Uncaught Exception (CWE-248) vulnerability in Cisa (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-1507 is a vulnerability stemming from an uncaught exception (CWE-248) in affected products, enabling an unauthenticated attacker to remotely crash core PI services and cause a denial-of-service condition. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high impact on availability with no requirements for privileges or user interaction.
An unauthenticated attacker can exploit this vulnerability over the network with low complexity, triggering the uncaught exception to crash core PI services. Successful exploitation results solely in a denial-of-service, disrupting service availability without compromising confidentiality or integrity.
For mitigation details, refer to the CISA ICS advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-03.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6714
Vulnerability details
The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of uncaught exception to crash services matches Endpoint DoS via application exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-11 requires proper error and exception handling to prevent uncaught exceptions from crashing core services as exploited in this CVE.
SC-5 provides denial-of-service protection to limit the effects of remote unauthenticated attacks that crash services, directly addressing the CVE's availability impact.
SI-2 ensures timely flaw remediation, including patching the specific uncaught exception vulnerability in affected products.