CVE-2026-32666
Received
Received - Intake
BACnet Spoofing Vulnerability in WebCTRL Enables Unauthorized Control
Vulnerability report for CVE-2026-32666, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-21
Last updated on: 2026-03-23
Assigner: ICS-CERT
Description
Description
WebCTRL systems that communicate over BACnet inherit the protocol's lack
of network layer authentication. WebCTRL does not implement additional
validation of BACnet traffic so an attacker with network access could
spoof BACnet packets directed at either the WebCTRL server or associated
AutomatedLogic controllers. Spoofed packets may be processed as
legitimate.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| automated_logic | webctrl | to 7 (inc) |
| automated_logic | webctrl | 8.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |