KMC Controls Conquest BACnet Router Vulnerabilities

Monitor5.3ICS-CERT ICSA-16-126-01Feb 6, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The KMC Controls BAC-5051E BACnet router firmware versions E0.2.0.2 and earlier contain authentication and access control weaknesses (CWE-352, CWE-306). An attacker can access the router remotely without valid credentials and read sensitive information such as building automation configurations, device status, and operational parameters. The vulnerability affects building automation systems that use this router to manage HVAC, lighting control, and other facility equipment.

What this means

What could happen

An attacker with network access could read sensitive information from the BACnet router without authentication, potentially exposing building automation system configurations and operational data.

Who's at risk

Building automation operators and facility managers who use KMC Controls BAC-5051E BACnet routers to manage HVAC, lighting, and other building systems. Any organization with building automation networks relying on this router is affected.

How it could be exploited

An attacker sends unauthenticated network requests to the BAC-5051E router over BACnet protocol (typically port 47808/UDP or 47808/TCP). The router fails to enforce authentication or access controls, allowing the attacker to read sensitive operational data, configuration details, or system status information that should be restricted.

Prerequisites

Network reachability to the BACnet port on the BAC-5051E router (port 47808)
No valid credentials required
Router must be running firmware version E0.2.0.2 or earlier

remotely exploitableno authentication requiredlow complexityno patch available

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

BAC-5051E router firmware: <E0.2.0.2<E0.2.0.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement firewall rules to restrict network access to the BAC-5051E router to only authorized engineering workstations and building automation systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact KMC Controls to request availability of a patched firmware version for the BAC-5051E router

Mitigations - no patch available

0/2

BAC-5051E router firmware: <E0.2.0.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the building automation network from general IT networks using VLANs or separate network segments

HARDENINGMonitor and log all BACnet protocol traffic to and from the router for unauthorized access attempts

CVEs (2)

CVE-2016-4494 CVE-2016-4495

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9523019c-79b6-4837-afae-7c14acc93bb3