Contemporary Controls BASC 20T

Plan PatchCVSS 9.8ICS-CERT ICSA-26-099-01Apr 9, 2026

Manufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The BASC-20T controller contains a vulnerability that allows an attacker with network access to enumerate and modify all associated PLC components without authentication. Successful exploitation enables reconfiguration, file deletion, file transfer, and execution of remote procedure calls on the device. According to the vendor, the BASC-20T is an obsolete product with no patch available.

What this means

What could happen

An attacker with network access to the BASC-20T controller could enumerate and modify all PLC components, reconfigure control logic, delete settings, transfer malicious files, and execute arbitrary remote commands. This could directly alter process operations, disable safety interlocks, or cause equipment damage.

Who's at risk

Manufacturing facilities and any industrial plant using the obsolete Contemporary Controls BASC-20T controller for process automation, building management, or equipment control. This affects PLCs integrated into production lines, HVAC systems, power distribution, or other mission-critical control logic.

How it could be exploited

An attacker on the network sends requests to the BASC-20T controller. The device has no authentication requirement, allowing the attacker to enumerate component functionality, modify configuration parameters, delete critical files, upload malware via file transfer, and execute remote procedure calls that alter control logic or operational behavior.

Prerequisites

Network access to the BASC-20T controller
No authentication credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects control system operations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

BASControl20: 3.13.1No fix yet

Remediation & Mitigation

0/4

Do now

0/4

HARDENINGImmediately isolate or remove BASC-20T units from the network if they are still in service and cannot be replaced

HARDENINGContact Contemporary Controls to verify end-of-life status and discuss upgrade or replacement options for all affected BASC-20T systems

HARDENINGIf BASC-20T units must remain in operation, implement network segmentation to restrict access to the device to only authorized engineering workstations on a separate control network

WORKAROUNDDeploy firewall rules to block all inbound network traffic to BASC-20T devices from untrusted networks

CVEs (1)

CVE-2025-13926

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7c7545f4-0139-494c-9351-5ba1a5ababe9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.