CVE-2026-32666

Summary

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

Affected Software

VendorProductVersion RangeStatus
Automated LogicWebCTRL Premium Server0 < v8.5affected

Weaknesses

  • CWE-290: CWE-290

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References