Description
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.
Published: 2026-02-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write on BACnet devices
Action: Patch Now
AI Analysis

Impact

BACnet Stack’s file‑writing functions fail to validate user‑supplied file paths, permitting attackers to write files to any filesystem location. This flaw is a classic example of an uncontrolled path traversal (CWE‑22) that can compromise confidentiality, integrity, or availability if critical files are altered or malicious payloads are deployed. The vulnerability is present in the libraries used by apps/readfile/main.c and ports/posix/bacfile‑posix.c, allowing write operations without directory restriction.

Affected Systems

The affected product is the BACnet Stack library from the bacnet-stack project. Versions 1.5.0 rc1 and rc2 are vulnerable; the issue is resolved in 1.5.0 rc3 and later releases. The flaw is relevant to embedded systems that use the BACnet protocol stack for building automation, HVAC, and related industrial control settings.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% reflects a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the potential impact of uncontrolled file writes is significant. The likely attack vector is an adversary that can invoke the BACnet stack’s file writing interface—either remotely or locally—together with any utility that specifies file paths. Successful exploitation would allow an attacker to create, modify, or delete files anywhere on the device’s filesystem.

Generated by OpenCVE AI on April 17, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BACnet Stack to version 1.5.0 rc3 or later to apply the vendor patch that validates file paths
  • If upgrading is not immediately possible, disable or restrict the file‑write functionality in the application or remove the components (apps/readfile/main.c and ports/posix/bacfile‑posix.c) that expose the vulnerability
  • Set strict filesystem permissions on the target device so that the BACnet process runs with the minimum privileges required, preventing arbitrary file modifications

Generated by OpenCVE AI on April 17, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:*

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Bacnetstack
Bacnetstack bacnet Stack
Vendors & Products Bacnetstack
Bacnetstack bacnet Stack

Fri, 13 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.
Title BACnet Stack Improperly Limits Pathnames to a Restricted Directory
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Bacnetstack Bacnet Stack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T18:53:59.648Z

Reserved: 2026-01-05T17:24:36.928Z

Link: CVE-2026-21878

cve-icon Vulnrichment

Updated: 2026-02-13T18:53:52.251Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T19:17:28.650

Modified: 2026-02-18T18:49:16.530

Link: CVE-2026-21878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses