Critical Authentication Bypass in Avation Light Engine Pro Allows Full Device Takeover
Take action: Isolate your Avation Light Engine Pro from the internet and make them accessible only from trusted networks. There is no patch, and the vendor is unresponsive. Use a VPN and firewalls to ensure only authorized internal staff can reach the control interface, and start planning for a replacement.
Learn More
CISA released a critical security advisory for the Avation Light Engine Pro, a lighting control system used in commercial facilities worldwide.
The vulnerability is tracked as CVE-2026-1341 (CVSS score 9.8) - A missing authentication vulnerability that allows unauthenticated users to access the device's configuration and control interface. The system fails to implement any access control mechanisms, leaving the management portal open to anyone on the network.
An attacker can send direct commands to the interface to modify system settings or disable lighting controls. Attackers can manipulate lighting schedules, change administrative settings, or disrupt operations in sensitive environments like hospitals and data centers.
Since the Light Engine Pro often connects to broader building networks, it could also serve as a pivot point for further network exploration.
This security issue affects every version of the Avation Light Engine Pro. The Australian-based vendor, Avation, has not responded to CISA's attempts to coordinate a response or release a patch.
Without a firmware update, the vulnerability is present in all deployed units globally.
To mitigate the risk, administrators should remove Light Engine Pro devices from the public internet immediately and use firewalls to isolate control system networks from standard business networks and restrict access to trusted IP addresses. I
f remote management is required, use a Virtual Private Network (VPN) with strong encryption and multi-factor authentication.
