EUVD-2026-13861CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Description
WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.
Analysis
WebCTRL Premium Server systems contain an authentication bypass vulnerability arising from BACnet protocol's inherent lack of network layer authentication, compounded by WebCTRL's failure to implement additional validation. An attacker with network access can spoof BACnet packets targeting either the WebCTRL server or associated AutomatedLogic controllers, which will process the spoofed packets as legitimate traffic. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all WebCTRL Premium Server installations and assess network exposure. Within 7 days: Implement network segmentation to isolate BACnet traffic and restrict access to trusted systems only; enable detailed logging of BACnet communications. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today