EnOcean SmartServer IoT

Plan PatchCVSS 8.1ICS-CERT ICSA-26-050-01Feb 19, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

EnOcean SmartServer IoT firmware versions 4.60.009 and earlier contain code execution vulnerabilities (CWE-77, CWE-125) that allow remote arbitrary code execution and ASLR bypass. The SmartServer IoT is a gateway device that bridges wireless IoT devices and building automation systems to IP networks. Successful exploitation could allow an attacker to execute arbitrary code on the device, potentially compromising the integrity of building automation systems and any connected wireless devices.

What this means

What could happen

An attacker could run arbitrary code on your SmartServer IoT gateway, potentially allowing them to intercept or manipulate wireless building automation commands, alter system configurations, or disrupt communications between smart building devices and your network.

Who's at risk

Building automation operators and facilities managers who rely on EnOcean SmartServer IoT gateways to manage wireless sensors, actuators, and controls in HVAC, lighting, and energy management systems.

How it could be exploited

An attacker with network access to the SmartServer IoT device can exploit a code execution vulnerability to run arbitrary commands. This could be done remotely if the device is accessible from an untrusted network, allowing the attacker to gain control of the gateway that bridges wireless IoT devices to your infrastructure.

Prerequisites

Network access to the SmartServer IoT device
Device running firmware version 4.60.009 or earlier

remotely exploitablehigh CVSS score (8.1)no authentication required

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

SmartServer IoT: <=4.60.009≤ 4.60.0094.60.023

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SmartServer IoT to firmware version 4.60.023 or later

CVEs (2)

CVE-2026-20761 CVE-2026-22885

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7bb49d15-20ff-4dcb-a418-87e3d0299705

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.