*Avation Light Engine Pro *
Plan PatchCVSS 9.8ICS-CERT ICSA-26-034-02Feb 3, 2026
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A critical vulnerability in Avation Light Engine Pro (all versions) allows unauthenticated remote attackers to take full control of the device. The vulnerability exists due to missing input validation. Avation has not responded to CISA's disclosure request and has not released a patch or workaround. All versions of Light Engine Pro are affected with no fix planned by the vendor.
What this means
What could happen
An attacker with network access to Light Engine Pro could gain complete control of the device and its connected systems, potentially disrupting critical operations or causing data loss.
Who's at risk
Any organization running Avation Light Engine Pro should take immediate action. If Light Engine Pro is used to control or monitor critical operations (such as lighting systems in manufacturing plants, data centers, or municipal facilities), this vulnerability poses a direct threat to operational availability.
How it could be exploited
An attacker can send a specially crafted network request to Light Engine Pro without authentication. The device fails to properly validate the request, allowing the attacker to execute arbitrary commands and take full control of the system.
Prerequisites
- Network access to Light Engine Pro on the network
- No valid credentials required
remotely exploitableno authentication requiredlow complexityno patch availablevendor unresponsive
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
Light Engine Pro: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3WORKAROUNDContact Avation directly to determine if a patch or workaround is available for your version of Light Engine Pro
HARDENINGRestrict network access to Light Engine Pro by implementing firewall rules to allow connections only from authorized engineering workstations and control systems
HARDENINGIsolate Light Engine Pro on a dedicated network segment or VLAN to limit lateral movement if the device is compromised
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor Light Engine Pro for unexpected configuration changes, command execution, or network traffic to authorized destinations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cc926db4-2b6e-4e34-b514-b038da6a05b6Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.