CVE-2026-20761
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.
Analysis
EnOcean SmartServer IoT versions 4.60.009 and earlier are vulnerable to unauthenticated remote command injection through maliciously crafted LON IP-852 management messages, enabling attackers to execute arbitrary OS commands with high privileges on affected devices. This network-accessible vulnerability requires no user interaction and affects IoT deployments with no available patch currently available.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all EnOcean SmartServer IoT deployments; isolate affected devices from untrusted networks if operationally feasible; enable detailed logging of LON IP-852 traffic. Within 7 days: Implement network segmentation to restrict IP-852 management message access to authorized administrators only; deploy network-based detection signatures for malicious IP-852 payloads; establish incident response procedures. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today