WebCTRL systems that use BACnet do not perform network‑layer authentication, and no additional validation is performed. The result is that an attacker who can transmit traffic onto the BACnet network can send spoofed packets that the WebCTRL server or connected controllers treat as legitimate, effectively bypassing authentication. This weakness is identified as CWE‑290. Because the spoofed packets are accepted, an attacker could issue unauthorized commands, alter configuration data, or disrupt service, compromising confidentiality, integrity, or availability of the affected systems. The vulnerability enables an attacker to impersonate a trusted BACnet device and gain control over WebCTRL functionality without physically tampering with the hardware. The likely attack vector is network access to the BACnet segment, suggesting a local or LAN‑based intrusion path.

The affected product is Automated Logic WebCTRL Premium Server. The issue is present in all versions that use standard BACnet, including the end‑of‑life WebCTRL 7 and in any WebCTRL 8.5 cumulative releases or later that have not yet been upgraded to use BACnet/SC with TLS encryption. Customers running older WebCTRL versions or those that have not applied the latest cumulative release may be susceptible until a proper upgrade is performed.

The CVSS v3 base score of 7.5 indicates a high severity. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need the ability to send traffic over the BACnet network; no public exploit code is documented. However, the high severity combined with the local network access requirement means that a compromised or poorly segmented environment could allow an attacker to hijack control of the WebCTRL server and connected devices.