Automated Logic WebCTRL Premium Server

Plan PatchCVSS 9.1ICS-CERT ICSA-26-078-08Mar 19, 2026

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WebCTRL Premium Server versions prior to 8.5 contain multiple vulnerabilities (CWE-605, CWE-290, CWE-319) that allow unauthenticated attackers on the network to read, intercept, or modify communications with building control devices via the BACnet protocol. This occurs because the communication protocol does not enforce strong authentication or encryption. WebCTRL 7 reached end of life on January 27, 2023 and will not receive fixes. Customers using WebCTRL 8.5 cumulative releases and later can mitigate the issue by enabling BACnet Secure Connect (BACnet/SC), which adds TLS encryption and mutual device authentication.

What this means

What could happen

An attacker could intercept, read, or modify communications between WebCTRL servers and building automation devices without authentication, potentially allowing manipulation of HVAC, lighting, and security system setpoints or disabling facility operations.

Who's at risk

Building automation system operators using Automated Logic WebCTRL Premium Server for HVAC, lighting, security, and environmental controls. Primarily affects facility managers and operators at commercial real estate, healthcare, government, and industrial sites that depend on WebCTRL for building system management.

How it could be exploited

An attacker on the network segment where WebCTRL and building control devices communicate could intercept unencrypted or weakly authenticated BACnet protocol traffic. By modifying these communications, the attacker could alter control commands sent to HVAC units, lighting systems, or other connected devices without requiring valid credentials.

Prerequisites

Network access to the building automation network segment where WebCTRL communicates with field devices
WebCTRL version prior to 8.5
No use of BACnet/SC (Secure Connect) encryption

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)affects building automation systems (operational impact)default or weak authentication in BACnet protocol

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

WebCTRL Premium Server: <v8.5<v8.58.5 cumulative releases+

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGIsolate the building automation network (WebCTRL and field devices) from the business network using a firewall with explicit access control rules

HARDENINGBlock direct internet access to WebCTRL servers and field devices; require VPN for any remote access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WebCTRL to version 8.5 cumulative releases or later

HARDENINGEnable BACnet Secure Connect (BACnet/SC) for all WebCTRL communications to field devices to encrypt traffic and enforce mutual authentication

Long-term hardening

0/1

HARDENINGImplement network segmentation so WebCTRL communicates only with authorized field devices and administrative workstations

CVEs (3)

CVE-2026-24060 CVE-2026-25086 CVE-2026-32666

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/11e6ba16-6d68-4d18-baa5-3919b6ac8eb6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.