EnOcean SmartServer IoT

Plan Patch8.1ICS-CERT ICSA-26-050-01Feb 19, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

EnOcean SmartServer IoT versions 4.60.009 and earlier contain command injection and memory safety vulnerabilities (CWE-77, CWE-125) that allow remote code execution without authentication. Exploitation could bypass address space layout randomization (ASLR), making attacks more reliable. Affected devices communicate with occupancy sensors, lighting controllers, and other building automation equipment.

What this means

What could happen

An attacker could execute arbitrary code on your SmartServer IoT device, potentially compromising building automation systems, occupancy sensors, lighting control, or other IoT infrastructure that depends on the SmartServer platform. This could lead to unauthorized control of connected devices or disruption of facility operations.

Who's at risk

Building automation operators, facility managers, and IT staff responsible for EnOcean SmartServer IoT deployments. This impacts occupancy sensors, lighting control systems, HVAC integration, and other IoT devices that communicate through the SmartServer platform in commercial buildings, campuses, and municipal facilities.

How it could be exploited

An attacker with network access to the SmartServer IoT device could send a specially crafted network request to exploit a command injection or memory safety vulnerability. The attacker does not need valid credentials. Successful exploitation grants the ability to run arbitrary commands as the SmartServer process, with additional ability to bypass memory randomization (ASLR) to make further attacks more reliable.

Prerequisites

Network access to the SmartServer IoT device (port and service not specified in advisory)
SmartServer IoT running version 4.60.009 or earlier
No authentication required

Remotely exploitableNo authentication requiredHigh CVSS score (8.1)ASLR bypass enables more sophisticated attacksAffects building automation and facility control systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

SmartServer IoT: <=4.60.009≤ 4.60.0094.60.023

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to SmartServer IoT using firewall rules to limit exposure to trusted networks or management interfaces only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SmartServer IoT to firmware version 4.60.023 (SmartServer 4.6 Update 2) or later

Long-term hardening

0/1

HARDENINGConsult EnOcean hardening guide at https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security and implement recommended network segmentation and access controls

CVEs (2)

CVE-2026-20761 CVE-2026-22885

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7bb49d15-20ff-4dcb-a418-87e3d0299705