On 28 April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) published ICS Advisory ICSA-26-118-01 disclosing a vulnerability in NSA GRASSMARLIN across all versions. According to CISA's official notice, successful exploitation of this vulnerability could allow an attacker to disclose sensitive information.
GRASSMARLIN is a network visualization and analysis tool developed by the NSA specifically designed to identify and map industrial control system (ICS) devices and their communication patterns. It is widely deployed by critical infrastructure operators, network defenders, and government agencies to understand OT network topology and detect anomalous behavior.
The vulnerability affects the entire version line—no version is listed as patched. This universal scope indicates either a fundamental design flaw or a recently discovered attack vector that impacts core functionality. The fact that exploitation leads to information disclosure is significant: an attacker gaining access to GRASSMARLIN outputs could map critical infrastructure layouts, identify control systems, locate network weak points, and understand defender visibility gaps.
For infrastructure operators and network defenders, this creates a two-layer problem. First, GRASSMARLIN instances themselves become intelligence collection targets. Second, compromised analysis data could provide adversaries with detailed blueprints of your OT environment—the exact information defenders use to protect it.
CISA's advisory points to the full CSAF record for technical details and mitigation guidance. The single-day timestamp suggests this is a recently disclosed issue still in early tracking.
What to watch: Monitor CISA and NSA channels for patch availability and interim defensive measures. Organizations running GRASSMARLIN should review access controls, network segmentation around analysis tools, and whether sensitive topology data is being stored or transmitted insecurely. The disclosure itself may trigger reconnaissance activity from actors seeking to exploit unpatched instances before patches are released.
