CBAS Web contains multiple critical vulnerabilities affecting authentication, database access, and command execution. These include cross-site request forgery (CWE-352), improper information exposure (CWE-203), cross-site scripting (CWE-79), command injection (CWE-77), exposure of sensitive information (CWE-540), insecure cryptographic storage (CWE-321), SQL injection (CWE-89), authentication bypass (CWE-288), and weak encryption (CWE-326). Successful exploitation could allow an attacker to execute arbitrary code, access sensitive data, bypass authentication, or execute unauthorized operating system commands on the building management system. All versions below the listed fixed versions are affected.
What this means
What could happen
An attacker with valid user credentials could gain administrative access to CBAS Web, execute arbitrary commands on the building management system, steal sensitive database information, or inject malicious code into the web interface that affects all users and connected building control devices.
Who's at risk
Building management system operators and facility managers running Computrols CBAS Web software for HVAC control, lighting control, access control, or other building automation functions. This affects any organization using CBAS Web regardless of size, including hospitals, schools, office buildings, water treatment facilities, and other critical infrastructure.
How it could be exploited
An attacker with valid login credentials accesses the CBAS Web interface over the network. The vulnerabilities allow the attacker to bypass authentication controls, inject SQL commands to access or modify the database, inject commands to the underlying operating system, or inject malicious code into the web application. This code could then spread to other users and compromise connected building automation equipment like HVAC systems, lighting controls, or access controls.
Prerequisites
Valid user credentials for CBAS Web (authentication bypass possible but credential-based access is primary vector)
Network access to the CBAS Web interface (typically port 80/443)
Unpatched CBAS Web installation running version below listed fixed versions
Remotely exploitableMultiple vulnerability types (authentication bypass, SQL injection, command injection, XSS)High CVSS score (8.8)Affects building automation and control systemsHigh exploit probability (EPSS 19.9%)Requires valid user credentials for full exploitation but authentication bypass possible
Exploitability
High exploit probability (EPSS 19.9%)
Affected products (1)
ProductAffected VersionsFix Status
CBAS Web a Web Building Management System (BMS): all< 19.0.1 | < 18.0.1 | < 15.0.1 | < 14.0.1 | < 8.0.7 | < 7.2.1-Beta | < 6.9.2 | < 4.8.2 | < 3.15.1Version 19.0.1, 18.0.1, 15.0.1, 14.0.1, 8.0.7, 7.2.1-Beta, 6.9.2, 4.8.2, or 3.15.1 depending on installed major version
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGRestrict network access to CBAS Web to authorized engineering and operations staff only using firewall rules or access control lists
WORKAROUNDDisable unnecessary features or services in CBAS Web if they are not required for operations
Schedule — requires maintenance window
0/2
Patching may require device reboot — plan for process interruption
HOTFIXUpgrade CBAS Web to the latest patched version for your major version: 19.0.1, 18.0.1, 15.0.1, 14.0.1, 8.0.7, 7.2.1-Beta, 6.9.2, 4.8.2, or 3.15.1
HARDENINGRequire VPN for any remote access to CBAS Web and building management systems
Long-term hardening
0/1
HARDENINGPlace CBAS Web and connected building control networks behind a firewall and isolate from business network