Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.
AnalysisAI
WebCTRL Premium Server systems contain an authentication bypass vulnerability arising from BACnet protocol's inherent lack of network layer authentication, compounded by WebCTRL's failure to implement additional validation. An attacker with network access can spoof BACnet packets targeting either the WebCTRL server or associated AutomatedLogic controllers, which will process the spoofed packets as legitimate traffic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker requires network access to WebCTRL systems using BACnet protocol communication. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) indicates this is a network-exploitable vulnerability with low attack complexity requiring no privileges or user interaction, resulting in high integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who gains access to the building automation network segment (either through compromised IT systems, rogue wireless access points, or physical network access) can craft spoofed BACnet packets with forged source addresses. These packets could send commands to AutomatedLogic controllers to manipulate HVAC systems, lighting, access control, or other building functions, causing physical disruption, safety hazards, or enabling further attack vectors like forcing doors open or disabling environmental controls in sensitive areas. … |
| Remediation | Consult the ICS-CERT advisory ICSA-26-078-08 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08 and Automated Logic's security commitment page at https://www.automatedlogic.com/en/company/security-commitment/ for official vendor guidance on patches or firmware updates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all WebCTRL Premium Server installations and assess network exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Webctrl Premium Server
View allThis vulnerability affects Automated Logic's WebCTRL Premium Server, which transmits BACnet protocol data in cleartext w
WebCTRL Premium Server contains a port binding vulnerability that allows an attacker with local access to bind to the sa
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13861