OTPulse
FeedAboutContact

*Avation Light Engine Pro *

Act Now9.8ICS-CERT ICSA-26-034-02Feb 3, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Avation Light Engine Pro contains a critical vulnerability (CWE-306: Missing Authentication for Critical Function) that allows an attacker to take full control of the device. All versions are affected. The vendor has not responded to CISA coordination requests and has not released a patch.

What this means
What could happen
An attacker could gain complete control of the Light Engine Pro device, allowing them to modify lighting system configurations, disable safety features, or disrupt illumination operations critical to facility operations.
Who's at risk
Facilities managers and operators using Avation Light Engine Pro in industrial, municipal, or critical infrastructure lighting control systems, including water authorities, electric utilities, and building automation environments.
How it could be exploited
An attacker with network access to the Light Engine Pro device can exploit the missing authentication control to execute arbitrary commands and take over the device without providing any credentials or authentication tokens.
Prerequisites
  • Network connectivity to the Light Engine Pro device
  • No credentials or authentication required
Remotely exploitableNo authentication requiredLow complexity attackNo patch availableVendor non-responsive to disclosureAll product versions affected
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
Light Engine Pro: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate Light Engine Pro devices from untrusted networks using network segmentation, firewall rules, or air-gapping to prevent direct network access from workstations or the internet
HARDENINGImplement network monitoring and access controls to restrict connections to Light Engine Pro to only authorized engineering workstations and control systems
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Avation directly to request security patches or firmware updates, and inquire about product end-of-life status and replacement options
Long-term hardening
0/1
HOTFIXEvaluate feasibility of replacing Light Engine Pro with a vendor-supported alternative that receives security updates
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/cc926db4-2b6e-4e34-b514-b038da6a05b6