Multiple Flaws Reported in Automated Logic WebCTRL Premium Server
Take action: If you are using Automated Logic WebCTRL, make sure it's isolated from the internet and your office network. Then plan a patch. Legacy versions 7.x will not be updated so plan an upgrade.
Learn More
Automated Logic reports three security vulnerabilities in its WebCTRL Premium Server, a platform used globally to manage building automation and HVAC systems in commercial facilities. Attackers can exploit these weaknesses to read, intercept, or change communications between the server and connected controllers, potentially disrupting building operations.
Vulnerabilities summary:
- CVE-2026-24060 (CVSS score 9.1) - A cleartext transmission flaw where the system sends sensitive service information as unencrypted BACnet packets over the wire. Attackers can use network sniffing tools to capture file data and reverse engineer the proprietary format used for PLC updates. This allows for the theft of operational secrets and the interception of sensitive file transfers.
- CVE-2026-25086 (CVSS score 7.7) - A multiple port binding vulnerability that allows an attacker to bind to the same port used by the WebCTRL service. By exploiting this, a local attacker can impersonate the legitimate service and send malicious packets to other devices without needing to inject code into the WebCTRL software. This results in unauthorized service impersonation and data manipulation.
- CVE-2026-32666 (CVSS score 7.5) - An authentication bypass vulnerability caused by the lack of network layer authentication in the BACnet protocol. Because the software does not implement extra validation, an attacker with network access can spoof BACnet packets directed at the server or controllers. The system then processes these spoofed packets as legitimate commands.
The affected product is the Automated Logic WebCTRL Premium Server for all versions earlier than 8.5. The vendor noted that WebCTRL 7 reached its end-of-life (EOL) status on January 27, 2023, and will not receive security patches.
Organizations using these legacy versions are even more vulnerable as they lack support for modern security standards like BACnet Secure Connect (BACnet/SC), which provides the necessary encryption to prevent these types of attacks.
Users should upgrade to WebCTRL 8.5 or later, which supports BACnet/SC for TLS encryption and mutual authentication. For those unable to upgrade immediately, Automated Logic recommends implementing network segmentation and isolating control systems from the internet.
