Description
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and
prior, which would allow remote attackers, in the LON IP-852 management
messages, to send specially crafted IP-852 messages resulting in
arbitrary OS command execution on the device.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote OS Command Execution
Action: Immediate Patch
AI Analysis

Impact

EnOcean SmartServer IoT devices running versions 4.60.009 and earlier are vulnerable to an arbitrary OS command injection via crafted LON IP-852 management messages. The flaw allows remote attackers to execute any command on the device, compromising confidentiality, integrity, and availability. The vulnerability is a classic input-to-command injection (CWE-77).

Affected Systems

EnOcean Edge Inc SmartServer IoT devices, specifically those with SmartServer platform versions 4.60.009 or earlier, are affected. The flaw exists in the LON IP‑852 management interface delivered with those firmware releases.

Risk and Exploitability

The CVSS score of 8.1 indicates a high risk, but the EPSS indicates an exploitation probability of less than 1%, reflecting a low likelihood of attacks at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires remote network access to the LON IP‑852 management channel, meaning an attacker must be able to send specially crafted packets to the device. Once accessed, the attacker can run arbitrary commands, giving full control of the device.

Generated by OpenCVE AI on April 17, 2026 at 17:28 UTC.

Remediation

Vendor Solution

EnOcean recommends users update the SmartServer platform software to SmartServer 4.6 Update 2 (v4.60.023) or a later release at https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#... https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#Current-Stable-Release .

Vendor Workaround

For additional mitigations and workarounds, refer to EnOcean's hardening guide at https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security .

OpenCVE Recommended Actions

  • Upgrade SmartServer platform to version 4.60.023 or later as recommended by EnOcean.
  • Apply the hardening configurations described in EnOcean's hardening guide.
  • Restrict LON IP‑852 management traffic to trusted networks or disable it if not required.

Generated by OpenCVE AI on April 17, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Enocean Edge
Enocean Edge smartserver Iot
Vendors & Products Enocean Edge
Enocean Edge smartserver Iot

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.
Title EnOcean SmartServer IoT Command Injection
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Enocean Edge Smartserver Iot
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-02-20T20:09:15.218Z

Reserved: 2026-02-12T00:19:51.025Z

Link: CVE-2026-20761

cve-icon Vulnrichment

Updated: 2026-02-20T20:08:48.192Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:32.243

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-20761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses