No discrete CVE is assigned; the attack surface is architectural. Iranian state-affiliated actors (MuddyWater) are actively exploiting internet-exposed Rockwell Automation PLCs via default/weak credential abuse and insecure internet exposure (CWE-306, CWE-668), deploying Dropbear SSH backdoors and manipulating SCADA display data per CISA/FBI advisory AA26-097A. New threat tooling includes CastleRAT, ChainShell (blockchain-based C2), and Tsundere botnet malware. Organizations with internet-facing CompactLogix, Micro850, or Allen-Bradley PLCs should treat this as an active incident until internet exposure is confirmed eliminated and device integrity is verified.