Home

Description

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

PUBLISHED Reserved 2026-03-12 | Published 2026-03-20 | Updated 2026-03-23 | Assigner icscert




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-290

Product status

Default status
unaffected

Any version before v8.5
affected

Credits

Jonathan Lee, Thuy D. Nguyen, and Neil C. Rowe of the Naval Postgraduate School reported this vulnerability to CISA. finder

References

www.automatedlogic.com/en/company/security-commitment/

www.cisa.gov/news-events/ics-advisories/icsa-26-078-08

github.com/...p/csaf_files/OT/white/2026/icsa-26-078-08.json

cve.org (CVE-2026-32666)

nvd.nist.gov (CVE-2026-32666)

Download JSON