Automated Logic WebCTRL Premium Server

Act Now10ICS-CERT ICSA-24-326-01Nov 21, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Automated Logic WebCTRL Premium Server, Carrier i-Vu, SiteScan Web, and WebCTRL for OEMs versions 7.0 contain unauthenticated remote code execution and web redirection vulnerabilities (CVE-2024-8525 and CVE-2024-8526). An unauthenticated remote attacker can exploit these flaws to execute arbitrary commands on the server or redirect users to malicious websites, potentially compromising building automation system control and facility operations.

What this means

What could happen

An attacker could execute arbitrary commands on the WebCTRL server or redirect facility operators to malicious sites, potentially allowing takeover of building automation systems that control HVAC, lighting, security, and other critical building functions.

Who's at risk

Building automation operators and facility managers responsible for WebCTRL Premium Server systems, Carrier i-Vu, SiteScan Web, and OEM-branded WebCTRL deployments. Affects organizations managing HVAC, lighting, security, and energy management systems in commercial buildings, hospitals, campuses, and data centers.

How it could be exploited

An attacker on the network sends a crafted request to the WebCTRL server (port 80/443) without needing valid credentials. The server accepts and processes the malicious input, allowing command execution on the host system or redirection of operator web sessions to attacker-controlled sites.

Prerequisites

Network access to WebCTRL server on ports 80 and/or 443
No authentication required
Server must be reachable from the attacker's network location

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (10.0)Affects building control systemsNo patch available for v7.0 productsEnd-of-life product versions

Exploitability

Moderate exploit probability (EPSS 2.8%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

WebCTRL Server: 7.07.08.0

Carrier i-Vu: 7.07.08.0

SiteScan Web: 7.07.08.0

WebCTRL for OEMs: 7.07.08.0

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict network access to WebCTRL servers from the internet; place behind firewalls and isolate from business networks using network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade WebCTRL Server, Carrier i-Vu, SiteScan Web, and WebCTRL for OEMs to version 8.0 or later to resolve CVE-2024-8526

HOTFIXFor CVE-2024-8525, apply the software update available on the authorized dealer support site; note that v7.0 is end-of-life (last supported 1/27/2023)

Long-term hardening

0/2

HARDENINGIf remote access is required, implement a VPN solution with access controls; ensure VPN is kept current with security updates

HARDENINGReview and implement Automated Logic Security Best Practices Checklists for Building Automation Systems (BAS) for proper installation and configuration

CVEs (2)

CVE-2024-8525 CVE-2024-8526

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3e83b0cc-17e0-4cd2-aee9-29153bfe97c2