Automated Logic WebCTRL Premium Server

Plan PatchCVSS 9.3ICS-CERT ICSA-25-324-01Nov 20, 2025

Johnson ControlsCarrier

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Automated Logic WebCTRL Premium Server and related products contain two vulnerabilities: CWE-601 (Open Redirect) and CWE-79 (Stored Cross-Site Scripting). These allow a remote attacker to deceive users into running malicious scripts or redirecting them to malicious websites. Affected versions include WebCTRL Server 6.1–8.5, SiteScan Web 6.1–8.5, WebCTRL for OEMs 6.1–8.5, and Carrier i-Vu 6.1–8.5. All vulnerabilities are remediated in version 9.0.

What this means

What could happen

An attacker could trick operators into clicking malicious links or running scripts that compromise their workstations or steal credentials, potentially leading to unauthorized access to building automation systems and control of HVAC, lighting, and other facility operations.

Who's at risk

Building automation system operators and engineers at water utilities, municipal electric utilities, and commercial facilities using Automated Logic WebCTRL Server, SiteScan Web, WebCTRL for OEMs, or Carrier i-Vu versions 6.1 through 8.5 should prioritize upgrading to version 9.0. This affects anyone with engineering access to facility HVAC, lighting, and environmental control systems.

How it could be exploited

An attacker sends a crafted email or link to an operator that exploits the open redirect or stored XSS vulnerability in WebCTRL. When the operator clicks the link or visits an affected page, they are redirected to a malicious website or execute attacker-controlled JavaScript in the context of their WebCTRL session.

Prerequisites

User must click a malicious link or visit a compromised WebCTRL page
User must be running a vulnerable version of WebCTRL (6.1–8.5)
No authentication bypass; social engineering is required

Low technical complexity—requires social engineering, not exploit codeAffects high-value targets: facility operators with control over building systemsDefault configurations may expose WebCTRL to business networksEnd-of-life versions (6.1, 7.0) will not receive future patches

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

Automated Logic WebCTRL Server: 7.07.09.0

Automated Logic WebCTRL Server: 8.08.09.0

Automated Logic WebCTRL Server: 8.58.59.0

Automated Logic SiteScan Web: 8.58.59.0

Automated Logic WebCTRL for OEMs: 8.58.59.0

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to WebCTRL administrative interfaces to trusted engineering workstations only; place the server behind a firewall and isolate from the business network

HARDENINGImplement email filtering and user security awareness training to block unsolicited emails and educate operators not to click untrusted links

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade WebCTRL Server, SiteScan Web, WebCTRL for OEMs, and i-Vu to version 9.0 or later

HARDENINGIf remote access to WebCTRL is required, use a VPN with current security patches and require multi-factor authentication

CVEs (2)

CVE-2024-8527 CVE-2024-8528

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a0691ab0-f843-45fc-a590-92655feef9d0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.