CVE-2026-32666
Received
Received - Intake
BACnet Spoofing Vulnerability in WebCTRL Enables Unauthorized Control
Publication date: 2026-03-21
Last updated on: 2026-03-23
Assigner: ICS-CERT
Description
Description
WebCTRL systems that communicate over BACnet inherit the protocol's lack
of network layer authentication. WebCTRL does not implement additional
validation of BACnet traffic so an attacker with network access could
spoof BACnet packets directed at either the WebCTRL server or associated
AutomatedLogic controllers. Spoofed packets may be processed as
legitimate.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| automated_logic | webctrl | to 7 (inc) |
| automated_logic | webctrl | 8.5 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
