Iranian state-backed actors (IRGC-affiliated, CyberAv3ngers) are actively targeting internet-exposed Rockwell Automation and Allen-Bradley EtherNet/IP-enabled PLCs across U.S. critical infrastructure, with confirmed data extraction and control system manipulation documented per CISA Advisory AA26-097a. No single CVE is assigned; the campaign exploits structural weaknesses including missing authentication (CWE-306), improper access control (CWE-284), and lack of code integrity verification (CWE-494) across 3,891 U.S.-identified internet-facing devices, 74.6% of global exposure. No vendor patch is available; mitigation is architecture-based — organizations must immediately block all inbound internet access to EtherNet/IP ports (TCP/UDP 44818, TCP 2222), isolate cellular-connected OT devices outside enterprise perimeter controls, and implement OT-aware IDS monitoring per NIST SP 800-82 and CISA AA26-097a guidance.