Changeflow GovPing Data Privacy & Cybersecurity CISA ICS Advisory: WebCTRL Server Vulnerabiliti...
Priority review Notice Added Final

CISA ICS Advisory: WebCTRL Server Vulnerabilities Allow Communication Interception

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published March 19th, 2026
Detected March 19th, 2026
Email

Summary

CISA issued an advisory regarding multiple vulnerabilities in Automated Logic WebCTRL Premium Server. Successful exploitation could allow attackers to intercept or modify communications. The advisory provides details on affected versions and remediation guidance.

View original document View source feed page

What changed

CISA has released an Industrial Control System (ICS) Advisory (ICSA-26-078-08) detailing multiple vulnerabilities in Automated Logic WebCTRL Premium Server, specifically affecting versions prior to v8.5. The vulnerabilities, including CVE-2026-25086 and CVE-2026-32666, could allow an attacker to bind to the same port, bypass authentication, and transmit sensitive information in cleartext, or spoof BACnet packets. The CVSS base score for CVE-2026-25086 is 7.7 (HIGH).

Automated Logic recommends upgrading to the latest WebCTRL server application version, which supports the more secure BACnet/SC protocol, for customers using supported versions. For unsupported versions (WebCTRL 7), users are strongly advised to upgrade as it is End of Life (EOL) and out of support. Organizations should also implement network segmentation, access control, and secure protocol best practices. While no specific compliance deadline is stated, prompt remediation is crucial to prevent potential communication interception and modification in critical infrastructure environments.

What to do next

  1. Upgrade Automated Logic WebCTRL Premium Server to the latest supported version.
  2. Implement BACnet Secure Connect (BACnet/SC) where applicable.
  3. Review and implement Automated Logic's secure configuration guidance and network segmentation best practices.

Source document (simplified)

ICS Advisory

Automated Logic WebCTRL Premium Server

Release Date

March 19, 2026

Alert Code ICSA-26-078-08 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF

Summary

Successful exploitation of these vulnerabilities could allow an attacker to read, intercept, or modify communications.

The following versions of Automated Logic WebCTRL Premium Server are affected:

  • WebCTRL Premium Server

| CVSS | Vendor | Equipment | Vulnerabilities |
| --- | --- | --- | --- |
| v3 9.1 | Automated Logic | Automated Logic WebCTRL Premium Server | Multiple Binds to the Same Port, Authentication Bypass by Spoofing, Cleartext Transmission of Sensitive Information |

Background

  • Critical Infrastructure Sectors: Commercial Facilities
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: United States

Vulnerabilities

Expand All +

CVE-2026-25086

Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software.

View CVE Details

Affected Products

Automated Logic WebCTRL Premium Server

Vendor:
Automated Logic Product Version:
Automated Logic WebCTRL Premium Server: <v8.5 Product Status:
known_affected

Remediations

Mitigation
Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC.

Mitigation
For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/.
https://www.automatedlogic.com/en/company/security-commitment/

Relevant CWE: CWE-605 Multiple Binds to the Same Port

Metrics

| CVSS Version | Base Score | Base Severity | Vector String |
| --- | --- | --- | --- |
| 3.1 | 7.7 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |

CVE-2026-32666

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

View CVE Details

Affected Products

Automated Logic WebCTRL Premium Server

Vendor:
Automated Logic Product Version:
Automated Logic WebCTRL Premium Server: <v8.5 Product Status:
known_affected

Remediations

Mitigation
Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC.

Mitigation
For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/.
https://www.automatedlogic.com/en/company/security-commitment/

Relevant CWE: CWE-290 Authentication Bypass by Spoofing

Metrics

| CVSS Version | Base Score | Base Severity | Vector String |
| --- | --- | --- | --- |
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |

CVE-2026-24060

Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered.

View CVE Details

Affected Products

Automated Logic WebCTRL Premium Server

Vendor:
Automated Logic Product Version:
Automated Logic WebCTRL Premium Server: <v8.5 Product Status:
known_affected

Remediations

Mitigation
Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC.

Mitigation
For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/.
https://www.automatedlogic.com/en/company/security-commitment/

Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information

Metrics

| CVSS Version | Base Score | Base Severity | Vector String |
| --- | --- | --- | --- |
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |

Acknowledgments

  • Jonathan Lee, Thuy D. Nguyen and Neil C. Rowe of the Naval Postgraduate School reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

  • Initial Release Date: 2026-03-19

| Date | Revision | Summary |
| --- | --- | --- |
| 2026-03-19 | 1 | Initial Publication |

Legal Notice and Terms of Use

This product is provided subject to this Notification and this Privacy & Use policy.

Tags

Sector: Commercial Facilities Sector Topics: Industrial Control System Vulnerabilities, Industrial Control Systems

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Related Advisories

Mar 19, 2026

ICS Advisory | ICSA-26-078-07

IGL-Technologies eParking.fi

Mar 19, 2026

ICS Advisory | ICSA-26-078-04

Schneider Electric EcoStruxure PME and EPO

Mar 19, 2026

ICS Advisory | ICSA-26-078-01

Schneider Electric Modicon M241, M251, and M262

Mar 19, 2026

ICS Advisory | ICSA-26-078-02

Schneider Electric Modicon Controllers M241, M251, M258, and LMC058

Named provisions

Automated Logic WebCTRL Premium Server CVE-2026-25086 CVE-2026-32666

Related changes

Favicon for www.cisa.gov CISA Adds Cisco Vulnerability CVE-2026-20131 to KEV Catalog
Urgent Mar 19, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA ICS Advisory: Schneider Electric Modicon Vulnerabilities
Priority review Mar 19, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds Microsoft SharePoint Vulnerability to KEV Catalog
Urgent Mar 19, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.justice.gov DOJ Seizes Four Domains Used in Iranian Cyber Operations
Urgent Mar 20, 2026 DOJ News Courts & Legal
Favicon for www.cert.ssi.gouv.fr Microsoft Products Vulnerabilities
Priority review Mar 19, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr CERT-FR: Multiple vulnerabilities in Roundcube software
Priority review Mar 19, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
March 19th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
ICSA-26-078-08

Who this affects

Applies to
Commercial Facilities
Industry sector
9211 Government & Public Administration
Activity scope
ICS Communication Interception Vulnerability Management
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Industrial Control Systems Vulnerability Management

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 211 Consumer Protection 35 Courts & Legal 245 Data Privacy & Cybersecurity 59 Defense & National Security 48 Education 20 Energy 101 Energy & Utilities 1 Environment 82 Government & Legislation 240 Healthcare 116 Housing 15 Immigration 8 Insurance 56 Labor & Employment 110 Pharma & Drug Safety 77 Securities & Markets 73 Tax 49 Telecom & Technology 34 Trade & Sanctions 122 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Free. Unsubscribe anytime.