Network Vulnerability in AutomatedLogic WebCTRL Systems Using BACnet Protocol
CVE-2026-32666

7.5HIGH

Key Information:

Vendor: Automated Logic
Status: Webctrl Premium Server
Vendor: CVE Published:; 20 March 2026

🔔 Create Automated Logic Vulnerability Alert

What is CVE-2026-32666?

The WebCTRL systems from AutomatedLogic, which utilize the BACnet protocol for communication, are exposed due to the absence of network layer authentication inherent in BACnet. This vulnerability enables attackers with network access to potentially spoof BACnet packets aimed at the WebCTRL server or its associated AutomatedLogic controllers. If successful, these spoofed packets may be incorrectly processed as legitimate, posing significant risks to system integrity and security.

Affected Version(s)

WebCTRL Premium Server 0

References

https://www.automatedlogic.com/en/company/security-commit...

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Jonathan Lee, Thuy D. Nguyen, and Neil C. Rowe of the Naval Postgraduate School reported this vulnerability to CISA.

CVE-2026-32666 Data

JSON