Automated Logic WebCTRL Premium Server

Act Now9.1ICS-CERT ICSA-26-078-08Mar 19, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WebCTRL Premium Server versions before 8.5 contain communications vulnerabilities (CWE-605, CWE-290, CWE-319) that allow an unauthenticated attacker on the network to intercept, read, or modify unencrypted BACnet protocol messages. Successful exploitation could allow reading sensitive building automation data, intercepting credentials, or injecting commands to alter facility control parameters such as HVAC setpoints or energy schedules. WebCTRL 7 reached end-of-life on January 27, 2023 and will not receive patches. WebCTRL 8.5 and later support BACnet Secure Connect (BACnet/SC) which adds TLS encryption and mutual authentication to mitigate these issues.

What this means

What could happen

An attacker with network access to WebCTRL Premium Server can intercept, read, or modify building automation communications between the server and BACnet devices, potentially altering HVAC setpoints, occupancy schedules, or energy settings affecting facility operations.

Who's at risk

Building automation operators at facilities using Automated Logic WebCTRL Premium Server, including water authorities, municipal electric utilities, hospitals, universities, and large commercial buildings. Any organization relying on WebCTRL for HVAC, lighting, energy management, or related facility controls should assess their exposure.

How it could be exploited

An attacker on the network can send unencrypted or spoofed BACnet messages to or from WebCTRL Premium Server. Because versions before 8.5 lack encryption (no TLS or BACnet/SC support), the attacker can intercept credentials, read configuration data, or inject commands that change building automation parameters without authentication.

Prerequisites

Network access to WebCTRL Premium Server port (typically 502 for BACnet/IP or 47808 for BACnet/SC)
WebCTRL version prior to 8.5 running without BACnet/SC enabled
No existing encryption or TLS between client and server

Remotely exploitable without authenticationNo encryption in versions before 8.5No patch available for WebCTRL 7 (end-of-life)Low complexity attackAffects facility operations (HVAC, energy systems)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

WebCTRL Premium Server: <v8.5<v8.58.5 cumulative releases and later

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to WebCTRL server: place behind firewall, deny internet-facing access, allow only trusted engineering workstations and building automation devices on separate VLAN

WORKAROUNDIf remote access is required, use VPN with current patches; verify VPN endpoint devices are secure

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to WebCTRL 8.5 cumulative releases or later

HARDENINGIf on WebCTRL 8.5 or later, enable BACnet Secure Connect (BACnet/SC) to enable TLS encryption and mutual authentication

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate building automation network from business network

CVEs (3)

CVE-2026-24060 CVE-2026-25086 CVE-2026-32666

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/11e6ba16-6d68-4d18-baa5-3919b6ac8eb6