PatchSiren cyber security CVE debrief
CVE-2025-13926 Contemporary Controls CVE debrief
CVE-2025-13926 is a critical industrial-control-system issue affecting Contemporary Controls BASC 20T. CISA says an attacker who can observe network traffic may use that information to forge packets and make arbitrary requests to the device. The supplied CVSS v3.1 vector is 9.8/CRITICAL, with network attack, no privileges, no user interaction, and high confidentiality, integrity, and availability impact. The advisory also notes that BASC-20T is obsolete, so remediation is likely to rely heavily on containment and vendor guidance rather than a straightforward software update.
- Vendor
- Contemporary Controls
- Product
- BASControl20
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-09
- Original CVE updated
- 2026-04-09
- Advisory published
- 2026-04-09
- Advisory updated
- 2026-04-09
Who should care
OT/ICS operators using Contemporary Controls BASC-20T, industrial network defenders, site engineers, and incident responders responsible for segmented control environments.
Technical summary
The advisory describes a network-based attack path in which traffic sniffing can enable packet forgery and arbitrary requests against Contemporary Controls BASC 20T. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates no authentication or user interaction is required once the attacker has the needed network visibility or access. The remediation note in the source states that BASC-20T is obsolete and recommends contacting Contemporary Controls for more information.
Defensive priority
Immediate. Treat this as a critical OT exposure, especially if the device is reachable from broader enterprise networks or untrusted segments.
Recommended defensive actions
- Inventory where Contemporary Controls BASC-20T devices are deployed and identify any exposed network paths.
- Restrict and segment network access to the device; keep it off shared or untrusted network segments where feasible.
- Follow CISA ICS recommended practices and monitor for unusual requests or packet patterns on affected networks.
- Contact Contemporary Controls for product-specific guidance, as the advisory states BASC-20T is obsolete.
- Review compensating controls such as access restrictions, logging, and anomaly detection around the affected environment.
Evidence notes
Primary evidence comes from CISA CSAF advisory ICSA-26-099-01 (supplied as the source item). It states that an attacker may use data obtained by sniffing network traffic to forge packets and make arbitrary requests to Contemporary Controls BASC 20T, and it records the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The advisory remediations note that BASC-20T is an obsolete product and recommend contacting Contemporary Controls. The supplied references also include the official CISA advisory page, the official CVE record, and CISA ICS recommended-practices resources.
Official resources
-
CVE-2025-13926 CVE record
CVE.org
-
CVE-2025-13926 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and the CVE record on 2026-04-09 UTC. The supplied SSVC note includes a timestamp of 2026-04-08T06:00:00Z, but the advisory publication date is 2026-04-09 UTC.