Fire detection system been pwned? You’re not going to sea

Researchers report two critical vulnerabilities in Consilium Salwico CS5000 fire panels—CVE-2025-46352 (default high-privilege SSH account) and CVE-2025-41438 (hardcoded, non-changeable VNC password)—that enable remote OS-level and UI control, potentially disabling fire detection and causing regulatory non-compliance; after attempts to disclose since 2022, Consilium initially refused to patch legacy systems predating IACS UR E27 but later issued a note promising an upgrade at the next scheduled service, and the report advises isolating panels, restricting protocols (e.g., limiting SSH/SCP and VNC), hardening connected SMS components, and preparing operational contingency procedures.