Vulnerability Description
Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-07
- https://www.automatedlogic.com/en/company/security-commitment/
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08
FAQ
What is CVE-2026-24060?
CVE-2026-24060 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Posit...
How severe is CVE-2026-24060?
CVE-2026-24060 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-24060?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.