Insufficient Encryption Vulnerability in WebCTRL by Automated Logic
CVE-2026-24060

9.1CRITICAL

Key Information:

Vendor: Automated Logic
Status: Webctrl Premium Server
Vendor: CVE Published:; 20 March 2026

🔔 Create Automated Logic Vulnerability Alert

What is CVE-2026-24060?

The WebCTRL system by Automated Logic exhibits a significant vulnerability where service information transmitted via BACnet packets lacks adequate encryption. This flaw allows attackers to sniff, intercept, and potentially modify sensitive data within network traffic. Critical information, including the File Start Position and File Data, can be captured using tools like Wireshark's BACnet dissector. Additionally, the proprietary format utilized by WebCTRL to receive updates from PLCs can be easily intercepted and reverse-engineered, posing serious security risks to the integrity of the system.

Affected Version(s)

WebCTRL Premium Server 0

References

https://www.automatedlogic.com/en/company/security-commit...

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Jonathan Lee, Thuy D. Nguyen, and Neil C. Rowe of the Naval Postgraduate School reported this vulnerability to CISA.

CVE-2026-24060 Data

JSON