Skip to main content

Webctrl Premium Server

3 CVEs product

Monthly

CVE-2026-24060 CRITICAL CISA Emergency

This vulnerability affects Automated Logic's WebCTRL Premium Server, which transmits BACnet protocol data in cleartext without encryption. An attacker positioned on the network can sniff sensitive service information including File Start Position, File Data, and proprietary PLC update formats using tools like Wireshark, enabling both information disclosure and potential integrity attacks through modification of intercepted traffic. With a CVSS score of 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this represents a significant exposure for building automation systems.

Information Disclosure Webctrl Premium Server
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-32666 HIGH CISA Act Now

WebCTRL Premium Server systems contain an authentication bypass vulnerability arising from BACnet protocol's inherent lack of network layer authentication, compounded by WebCTRL's failure to implement additional validation. An attacker with network access can spoof BACnet packets targeting either the WebCTRL server or associated AutomatedLogic controllers, which will process the spoofed packets as legitimate traffic. This vulnerability has a CVSS score of 7.5 with high integrity impact and is disclosed through ICS-CERT advisory ICSA-26-078-08.

Authentication Bypass Webctrl Premium Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25086 HIGH CISA Act Now

WebCTRL Premium Server contains a port binding vulnerability that allows an attacker with local access to bind to the same network port used by the WebCTRL service. This enables the attacker to send malicious packets and impersonate the legitimate WebCTRL service without injecting code into the application, potentially compromising confidentiality and integrity of building automation system communications. The vulnerability affects Automated Logic's WebCTRL Premium Server and has been disclosed by ICS-CERT, though no KEV listing or public POC is currently documented.

Code Injection Webctrl Premium Server
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
EPSS 0% CVSS 9.1
CRITICAL Emergency

This vulnerability affects Automated Logic's WebCTRL Premium Server, which transmits BACnet protocol data in cleartext without encryption. An attacker positioned on the network can sniff sensitive service information including File Start Position, File Data, and proprietary PLC update formats using tools like Wireshark, enabling both information disclosure and potential integrity attacks through modification of intercepted traffic. With a CVSS score of 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this represents a significant exposure for building automation systems.

Information Disclosure Webctrl Premium Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH Act Now

WebCTRL Premium Server systems contain an authentication bypass vulnerability arising from BACnet protocol's inherent lack of network layer authentication, compounded by WebCTRL's failure to implement additional validation. An attacker with network access can spoof BACnet packets targeting either the WebCTRL server or associated AutomatedLogic controllers, which will process the spoofed packets as legitimate traffic. This vulnerability has a CVSS score of 7.5 with high integrity impact and is disclosed through ICS-CERT advisory ICSA-26-078-08.

Authentication Bypass Webctrl Premium Server
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH Act Now

WebCTRL Premium Server contains a port binding vulnerability that allows an attacker with local access to bind to the same network port used by the WebCTRL service. This enables the attacker to send malicious packets and impersonate the legitimate WebCTRL service without injecting code into the application, potentially compromising confidentiality and integrity of building automation system communications. The vulnerability affects Automated Logic's WebCTRL Premium Server and has been disclosed by ICS-CERT, though no KEV listing or public POC is currently documented.

Code Injection Webctrl Premium Server
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy