PatchSiren cyber security CVE debrief
CVE-2024-8528 Automated Logic CVE debrief
CVE-2024-8528 is a publicly disclosed browser script-execution flaw in Automated Logic’s WebCTRL family. The CISA advisory says the wbs GET parameter is not sanitized and that untrusted data is included in a web page without proper validation or escaping, which can let an attacker cause malicious scripts to run in a user’s browser. Automated Logic reports the issue is remediated in Web CTRL 9.0; older Web CTRL 7.0, Web CTRL 6.1, and i-Vu 6.0 are out of support.
- Vendor
- Automated Logic
- Product
- Carrier i-Vu
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-11-20
- Original CVE updated
- 2025-11-20
- Advisory published
- 2025-11-20
- Advisory updated
- 2025-11-20
Who should care
OT and building-automation teams running Automated Logic WebCTRL Server, Carrier i-Vu, SiteScan Web, or WebCTRL for OEMs; application owners; and vulnerability/patch managers responsible for browser-based operator workflows.
Technical summary
According to the supplied CISA CSAF advisory, the issue is triggered by the wbs GET parameter being processed without sanitization and then rendered into a web page without proper escaping. That creates an opportunity for attacker-controlled script content to execute in the victim’s browser. The supplied CVSS vector (AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) indicates user interaction is required and that the impact can extend across the browser trust boundary.
Defensive priority
High. Prioritize remediation on any active WebCTRL deployment because the issue is publicly documented, affects multiple product lines in the WebCTRL family, and is fixed in Web CTRL 9.0. Unsupported versions should be treated as migration/upgrade candidates rather than simple patch targets.
Recommended defensive actions
- Upgrade to the latest available version; Automated Logic states the vulnerability is remediated in Web CTRL 9.0.
- Inventory all affected WebCTRL-family deployments and confirm whether they are on supported releases.
- Plan replacement or upgrade for Web CTRL 7.0, Web CTRL 6.1, and i-Vu 6.0, which the advisory says are out of support.
- Review any application paths that use the wbs GET parameter and ensure user-supplied input is validated and escaped before rendering.
- Follow Automated Logic’s BAS security best-practices guidance and Carrier’s security advisories resources.
Evidence notes
CISA CSAF advisory ICSA-25-324-01, published 2025-11-20, states that the wbs GET parameter is not sanitized and that untrusted data is rendered without proper validation or escaping, enabling malicious script execution in a user’s browser. The advisory also states remediation is available in Web CTRL 9.0 and notes that Web CTRL 7.0, Web CTRL 6.1, and i-Vu 6.0 are out of support. No KEV entry or active-exploitation detail was supplied.
Official resources
-
CVE-2024-8528 CVE record
CVE.org
-
CVE-2024-8528 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in CSAF advisory ICSA-25-324-01 on 2025-11-20. The supplied data does not indicate a KEV listing.