Automated Logic WebCTRL Premium Server

Plan Patch9.3ICS-CERT ICSA-25-324-01Nov 20, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WebCTRL and i-Vu contain URL redirection (CWE-601) and cross-site scripting (CWE-79) vulnerabilities that allow an attacker with local workstation access to trick operators into visiting malicious websites or running malicious scripts. These could be used for credential theft or lateral movement into the BAS network. Versions 6.1, 7.0, 8.0, and 8.5 are vulnerable; versions 6.1 and 7.0 are end-of-life. The vulnerabilities are not remotely exploitable and require user interaction.

What this means

What could happen

An attacker with local access to a user's workstation could trick a legitimate operator into clicking a malicious link or running a script that could compromise the BAS system or redirect them to a phishing site to steal credentials for control system access.

Who's at risk

Building automation system (BAS) operators and site engineers who use Automated Logic WebCTRL, Carrier i-Vu, or Automated Logic SiteScan Web to manage HVAC, lighting, and other facility controls. Organizations running versions 6.1 through 8.5 are at risk if operators have workstations connected to or near the BAS network.

How it could be exploited

An attacker must first gain local access to a user's workstation (via USB, physical access, or initial compromise). They then craft a malicious link or script that, when clicked or executed by the operator, either runs arbitrary commands locally or redirects to a phishing page to harvest BAS system credentials.

Prerequisites

Local access to an operator's workstation or engineering station
User interaction required—the operator must click a link or run a script
The workstation must have access to the WebCTRL or i-Vu system

no patch available for versions 6.1–8.5affects all major versions in active uselocal access required but social engineering lowers practical barriertargets operator workstations which often have network access to control systems

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

Automated Logic WebCTRL Server: 7.07.09.0

Automated Logic WebCTRL Server: 8.08.09.0

Automated Logic WebCTRL Server: 8.58.59.0

Automated Logic SiteScan Web: 8.58.59.0

Automated Logic WebCTRL for OEMs: 8.58.59.0

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGRestrict network access to WebCTRL, i-Vu, and SiteScan Web systems to authorized engineering stations only using firewall rules

HARDENINGIsolate building automation system (BAS) networks from business networks and the internet

HARDENINGImplement user awareness training to avoid clicking unsolicited links and opening unexpected attachments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade WebCTRL and i-Vu systems to version 9.0 or later

Long-term hardening

0/2

HARDENINGRequire multi-factor authentication for access to WebCTRL and i-Vu systems where feasible

HARDENINGEnforce email gateway controls to block suspicious links and attachments targeting BAS staff

CVEs (2)

CVE-2024-8527 CVE-2024-8528

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a0691ab0-f843-45fc-a590-92655feef9d0