Vulnerability Description
WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-07
- https://www.automatedlogic.com/en/company/security-commitment/
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08
FAQ
What is CVE-2026-32666?
CVE-2026-32666 is a vulnerability with a CVSS score of 7.5 (HIGH). WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with netwo...
How severe is CVE-2026-32666?
CVE-2026-32666 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32666?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.