Description
Under certain conditions, an attacker could bind to the same port used
by WebCTRL. This could allow the attacker to craft and send malicious
packets and impersonate the WebCTRL service without requiring code
injection into the WebCTRL software.
Published: 2026-03-20
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Service Impersonation
Action: Upgrade Immediately
AI Analysis

Impact

The vulnerability allows an attacker to bind to the TCP port that WebCTRL Premium Server uses, enabling them to send crafted packets that the system will accept as coming from the legitimate service. Because no code injection is required, the attacker can impersonate the WebCTRL service and potentially redirect or inject traffic to connected BACnet devices.

Affected Systems

Affected deployments are those running Automated Logic’s WebCTRL Premium Server, especially the end‑of‑life WebCTRL 7 edition and earlier. Users of WebCTRL 8.5 cumulative releases or newer should verify that they are using the latest version, which includes secure BACnet/SC support and improved configuration guidance. If an older unsupported version is in use, the vulnerability is present.

Risk and Exploitability

With a CVSS score of 7.7, the flaw is considered high severity. No EPSS data or KEV listing indicates it may not yet have been exploited, yet the absence of a code‑injection requirement means an attacker only needs to reach the vulnerable port, which is feasible from any network segment with access to the device. The risk remains notable in environments where WebCTRL is exposed to untrusted networks.

Generated by OpenCVE AI on March 21, 2026 at 07:27 UTC.

Remediation

Vendor Solution

Automated Logic notes that WebCTRL 7 is end of life and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC.

OpenCVE Recommended Actions

  • Upgrade to the latest WebCTRL server (8.5 cumulative releases or later).
  • Apply Automated Logic’s secure configuration guidance, including BACnet/SC support with TLS and mutual authentication.
  • Implement firewall rules or network segmentation to restrict access to the WebCTRL port.
  • Monitor for unexpected traffic or binding attempts on the service port.

Generated by OpenCVE AI on March 21, 2026 at 07:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Automatedlogic
Automatedlogic webctrl Server
Vendors & Products Automatedlogic
Automatedlogic webctrl Server

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software.
Title Automated Logic WebCTRL Premium Server Multiple Binds to the Same Port
Weaknesses CWE-605
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Automatedlogic Webctrl Server
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-23T15:56:09.720Z

Reserved: 2026-03-12T19:57:03.300Z

Link: CVE-2026-25086

cve-icon Vulnrichment

Updated: 2026-03-23T14:50:16.600Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T00:16:25.683

Modified: 2026-03-23T16:16:43.883

Link: CVE-2026-25086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:48Z

Weaknesses