CVE-2026-32666

HIGH

Automated Logic WebCTRL Premium Server Authentication Bypass by Spoofing

Title source: cna

Description

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

References (3)

https://www.automatedlogic.com/en/company/security-commitment/

https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json

View Writeup ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0007

EPSS Percentile 22.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (1)

Automated Logic/WebCTRL Premium Server < v8.5

Published Mar 21, 2026

Tracked Since Mar 21, 2026