CVE-2026-32666

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json
https://www.automatedlogic.com/en/company/security-commitment/
https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-21 00:16

Updated : 2026-03-23 16:16

NVD link : CVE-2026-32666

Mitre link : CVE-2026-32666

CVE.ORG link : CVE-2026-32666

JSON object : View

Products Affected

No product.

CWE

CWE-290

Authentication Bypass by Spoofing

7.5 /10