CVE-2026-32666 - Vulnerability Details - OpenCVE

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Automatedlogic	Webctrl Server

No data.

No data.

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json
https://www.automatedlogic.com/en/company/security-commitment/
https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08

History

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Automatedlogic Automatedlogic webctrl Server
Vendors & Products		Automatedlogic Automatedlogic webctrl Server

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.
Title		Automated Logic WebCTRL Premium Server Authentication Bypass by Spoofing
Weaknesses		CWE-290
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json https://www.automatedlogic.com/en/company/security-commitment/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-03-20T23:17:29.342Z

Updated: 2026-03-23T15:56:02.688Z

Reserved: 2026-03-12T19:57:03.327Z

Link: CVE-2026-32666

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-21T00:16:26.220

Modified: 2026-03-23T16:16:47.220

Link: CVE-2026-32666

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32666", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-03-12T19:57:03.327Z", "datePublished": "2026-03-20T23:17:29.342Z", "dateUpdated": "2026-03-23T15:56:02.688Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-20T23:17:29.342Z"}, "title": "Automated Logic WebCTRL Premium Server Authentication Bypass by Spoofing", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-290", "description": "CWE-290", "type": "CWE"}]}], "affected": [{"vendor": "Automated Logic", "product": "WebCTRL Premium Server", "versions": [{"status": "affected", "version": "0", "lessThan": "v8.5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "WebCTRL systems that communicate over BACnet inherit the protocol's lack\n of network layer authentication. WebCTRL does not implement additional \nvalidation of BACnet traffic so an attacker with network access could \nspoof BACnet packets directed at either the WebCTRL server or associated\n AutomatedLogic controllers. Spoofed packets may be processed as \nlegitimate.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "WebCTRL systems that communicate over BACnet inherit the protocol's lack\n of network layer authentication. WebCTRL does not implement additional \nvalidation of BACnet traffic so an attacker with network access could \nspoof BACnet packets directed at either the WebCTRL server or associated\n AutomatedLogic controllers. Spoofed packets may be processed as \nlegitimate."}]}], "tags": ["unsupported-when-assigned"], "references": [{"url": "https://www.automatedlogic.com/en/company/security-commitment/"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "solutions": [{"lang": "en", "value": "Automated Logic notes that WebCTRL 7 is end of life and has been \nout of support since January 27, 2023. Users are advised to upgrade to \nthe latest version of the WebCTRL server application, which supports the\n more secure BACnet/SC.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Automated Logic notes that WebCTRL 7 is end of life and has been \nout of support since January 27, 2023. Users are advised to upgrade to \nthe latest version of the WebCTRL server application, which supports the\n more secure BACnet/SC."}]}, {"lang": "en", "value": "For users of supported versions of WebCTRL (WebCTRL 8.5 \ncumulative releases and later), Automated Logic provides secure \nconfiguration guidance for hardware and software deployments; BACnet \nSecure Connect (BACnet/SC) support, which introduces TLS encryption and \nmutual authentication; and published best practices for network \nsegmentation, access control, and secure protocol implementation. \nAdditional information is available at:\u00a0\n https://www.automatedlogic.com/en/company/security-commitment/", "supportingMedia": [{"type": "text/html", "base64": false, "value": "For users of supported versions of WebCTRL (WebCTRL 8.5 \ncumulative releases and later), Automated Logic provides secure \nconfiguration guidance for hardware and software deployments; BACnet \nSecure Connect (BACnet/SC) support, which introduces TLS encryption and \nmutual authentication; and published best practices for network \nsegmentation, access control, and secure protocol implementation. \nAdditional information is available at: <br><a href=\"https://www.automatedlogic.com/en/company/security-commitment/\" title=\"(opens in a new window)\">https://www.automatedlogic.com/en/company/security-commitment/</a>"}]}], "credits": [{"lang": "en", "value": "Jonathan Lee, Thuy D. Nguyen, and Neil C. Rowe of the Naval Postgraduate School reported this vulnerability to CISA.", "type": "finder"}], "source": {"advisory": "ICSA-26-078-08", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:49:42.712836Z", "id": "CVE-2026-32666", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:56:02.688Z"}}]}}