Access Control Bypass in ALC WebCTRL and Carrier i-Vu by Carrier
CVE-2024-5539

9.2CRITICAL

Key Information:

Vendor: Automated Logic
Status: Webctrl; I-vu
Vendor: CVE Published:; 27 November 2025

🔔 Create Automated Logic Vulnerability Alert

What is CVE-2024-5539?

An Access Control Bypass vulnerability has been identified in ALC WebCTRL and Carrier i-Vu, which allows unauthorized users to circumvent access restrictions. This flaw impacts versions up to and including 8.5, potentially allowing malicious actors to gain access to sensitive information through the web-based building automation server. The exposure of such data can lead to significant operational risks and security breaches.

Affected Version(s)

i-Vu Windows 0 <= 8.5

WebCTRL Windows 0 <= 8.5

References

https://www.corporate.carrier.com/product-security/adviso...

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 27, 2025
Vulnerability Reserved
May 30, 2024

Credit

Steve Knabe from Praetorian

CVE-2024-5539 Data

JSON