CVE-2026-25086
Received Received - Intake

Port Binding Vulnerability in WebCTRL Enables Service Impersonation

Vulnerability report for CVE-2026-25086, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-21

Last updated on: 2026-03-23

Assigner: ICS-CERT

Description

Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-21
Last Modified
2026-03-23
Generated
2026-07-06
AI Q&A
2026-03-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
automated_logic webctrl to 7 (inc)
automated_logic webctrl 8.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-605 When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25086 is a vulnerability in Automated Logic's WebCTRL system, specifically affecting versions up to WebCTRL 7. The issue arises because the system uses the BACnet protocol without encryption or authentication, allowing an attacker with local network access to bind to the same port as WebCTRL."}, {'type': 'paragraph', 'content': 'This enables the attacker to craft and send malicious packets that the system processes as legitimate, effectively impersonating the WebCTRL service without needing to inject code into the software.'}, {'type': 'paragraph', 'content': 'Additionally, sensitive information such as file data is transmitted in cleartext, making it vulnerable to interception and reverse engineering.'}] [1]

Mitigation Strategies

Immediate mitigation steps include upgrading from WebCTRL 7 to the latest supported versions (WebCTRL 8.5 cumulative releases and later) that support BACnet Secure Connect (BACnet/SC), which introduces TLS encryption and mutual authentication.

Additional steps involve implementing secure configuration practices such as network segmentation, access control, and minimizing network exposure of control system devices by isolating them behind firewalls.

Use secure remote access methods like up-to-date VPNs, and follow defense-in-depth strategies including monitoring for suspicious activity.

Educate users to avoid social engineering attacks by not clicking on unsolicited email links or attachments.

Impact Analysis

This vulnerability can have significant impacts including unauthorized access and control over the WebCTRL system communications.

  • Attackers can intercept, read, and modify sensitive information transmitted in cleartext.
  • They can impersonate the WebCTRL service, potentially causing the system to accept malicious commands or data.
  • Such actions compromise the confidentiality and integrity of the system, potentially leading to unauthorized control or manipulation of building automation functions.

The CVSS score of 7.7 indicates a high severity impact on confidentiality and integrity, though availability is not affected.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for unencrypted BACnet protocol communications used by WebCTRL. Since sensitive information is transmitted in cleartext, tools like Wireshark can be used to capture and analyze BACnet packets to identify suspicious or spoofed traffic.'}, {'type': 'paragraph', 'content': 'Detection involves looking for unauthorized devices binding to the same port as WebCTRL and crafting BACnet packets that impersonate the WebCTRL service.'}, {'type': 'paragraph', 'content': 'Suggested commands include using packet capture tools such as:'}, {'type': 'list_item', 'content': "Wireshark with a filter for BACnet traffic (e.g., 'bacnet' filter) to inspect cleartext BACnet packets."}, {'type': 'list_item', 'content': 'tcpdump to capture BACnet traffic on the relevant port, for example: tcpdump -i <interface> port <WebCTRL_port>'}, {'type': 'list_item', 'content': 'netstat or ss commands to check for multiple bindings on the WebCTRL port, indicating possible port hijacking.'}] [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart