{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-32666","assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","state":"PUBLISHED","assignerShortName":"icscert","dateReserved":"2026-03-12T19:57:03.327Z","datePublished":"2026-03-20T23:17:29.342Z","dateUpdated":"2026-03-23T15:56:02.688Z"},"containers":{"cna":{"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2026-03-20T23:17:29.342Z"},"title":"Automated Logic WebCTRL Premium Server Authentication Bypass by Spoofing","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-290","description":"CWE-290","type":"CWE"}]}],"affected":[{"vendor":"Automated Logic","product":"WebCTRL Premium Server","versions":[{"status":"affected","version":"0","lessThan":"v8.5","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"WebCTRL systems that communicate over BACnet inherit the protocol's lack\n of network layer authentication. WebCTRL does not implement additional \nvalidation of BACnet traffic so an attacker with network access could \nspoof BACnet packets directed at either the WebCTRL server or associated\n AutomatedLogic controllers. Spoofed packets may be processed as \nlegitimate.","supportingMedia":[{"type":"text/html","base64":false,"value":"WebCTRL systems that communicate over BACnet inherit the protocol's lack\n of network layer authentication. WebCTRL does not implement additional \nvalidation of BACnet traffic so an attacker with network access could \nspoof BACnet packets directed at either the WebCTRL server or associated\n AutomatedLogic controllers. Spoofed packets may be processed as \nlegitimate."}]}],"tags":["unsupported-when-assigned"],"references":[{"url":"https://www.automatedlogic.com/en/company/security-commitment/"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08"},{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseSeverity":"HIGH","baseScore":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}],"solutions":[{"lang":"en","value":"Automated Logic notes that WebCTRL 7 is end of life and has been \nout of support since January 27, 2023. Users are advised to upgrade to \nthe latest version of the WebCTRL server application, which supports the\n more secure BACnet/SC.","supportingMedia":[{"type":"text/html","base64":false,"value":"Automated Logic notes that WebCTRL 7 is end of life and has been \nout of support since January 27, 2023. Users are advised to upgrade to \nthe latest version of the WebCTRL server application, which supports the\n more secure BACnet/SC."}]},{"lang":"en","value":"For users of supported versions of WebCTRL (WebCTRL 8.5 \ncumulative releases and later), Automated Logic provides secure \nconfiguration guidance for hardware and software deployments; BACnet \nSecure Connect (BACnet/SC) support, which introduces TLS encryption and \nmutual authentication; and published best practices for network \nsegmentation, access control, and secure protocol implementation. \nAdditional information is available at: \n https://www.automatedlogic.com/en/company/security-commitment/","supportingMedia":[{"type":"text/html","base64":false,"value":"For users of supported versions of WebCTRL (WebCTRL 8.5 \ncumulative releases and later), Automated Logic provides secure \nconfiguration guidance for hardware and software deployments; BACnet \nSecure Connect (BACnet/SC) support, which introduces TLS encryption and \nmutual authentication; and published best practices for network \nsegmentation, access control, and secure protocol implementation. \nAdditional information is available at:&nbsp;<br><a href=\"https://www.automatedlogic.com/en/company/security-commitment/\" title=\"(opens in a new window)\">https://www.automatedlogic.com/en/company/security-commitment/</a>"}]}],"credits":[{"lang":"en","value":"Jonathan Lee, Thuy D. Nguyen, and Neil C. Rowe of the Naval Postgraduate School reported this vulnerability to CISA.","type":"finder"}],"source":{"advisory":"ICSA-26-078-08","discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 1.0.1"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-290","lang":"en","description":"CWE-290 Authentication Bypass by Spoofing"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-23T14:49:42.712836Z","id":"CVE-2026-32666","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-23T15:56:02.688Z"}}]}}