PatchSiren cyber security CVE debrief
CVE-2026-24060 Automated Logic CVE debrief
CVE-2026-24060 affects Automated Logic WebCTRL Premium Server versions before 8.5. According to the CISA advisory published on 2026-03-19, service information sent as BACnet packets is not encrypted and can be sniffed, intercepted, and modified on the wire. The advisory also notes that file-related data and the proprietary PLC update format may be observed and reverse engineered from network traffic. This is a serious OT confidentiality and integrity issue, especially where BACnet traffic crosses shared or insufficiently segmented networks.
- Vendor
- Automated Logic
- Product
- WebCTRL Premium Server
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-19
- Original CVE updated
- 2026-03-19
- Advisory published
- 2026-03-19
- Advisory updated
- 2026-03-19
Who should care
Industrial control system operators, building automation teams, OT network defenders, and administrators running Automated Logic WebCTRL Premium Server <v8.5. Organizations that rely on BACnet communications, especially in environments without strict network segmentation or BACnet/SC, should treat this as a priority.
Technical summary
The advisory describes a network-transit weakness rather than a code execution flaw: WebCTRL Premium Server transmits sensitive service and file-update information over BACnet without encryption. That makes the data observable to passive network monitoring and potentially modifiable by an on-path attacker. The vendor remediation points to WebCTRL 8.5 cumulative releases and later, along with BACnet Secure Connect (BACnet/SC), which adds TLS encryption and mutual authentication. The advisory does not indicate KEV inclusion or active exploitation in the supplied corpus.
Defensive priority
High. The issue is remotely reachable over network traffic and directly impacts confidentiality and integrity in an OT environment. Prioritize remediation on any deployment that uses BACnet on shared, routable, or otherwise weakly segmented networks.
Recommended defensive actions
- Upgrade to the latest supported WebCTRL server version; Automated Logic notes that WebCTRL 7 is end of life and that WebCTRL 8.5 cumulative releases and later support BACnet/SC.
- Enable BACnet Secure Connect (BACnet/SC) where supported to add TLS encryption and mutual authentication.
- Apply vendor secure configuration guidance for supported WebCTRL deployments, including network segmentation and access control.
- Restrict BACnet traffic to trusted management networks and minimize exposure of OT protocols across broader enterprise segments.
- Review monitoring and detection controls for unusual BACnet activity or unexpected changes to service and file-transfer traffic.
- If any affected system cannot be upgraded promptly, treat it as a higher-risk legacy asset and isolate it as tightly as operationally possible.
Evidence notes
All findings are based on the supplied CISA CSAF advisory ICSA-26-078-08 and its referenced vendor security commitment. The advisory text explicitly states that service information is not encrypted in BACnet packets and can be sniffed, intercepted, and modified. It also states that file start position, file data, and the proprietary PLC update format may be observed from network traffic. The supplied corpus does not include evidence of KEV listing, active exploitation, or ransomware use.
Official resources
-
CVE-2026-24060 CVE record
CVE.org
-
CVE-2026-24060 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-03-19. The supplied corpus does not indicate KEV inclusion, and no active exploitation or ransomware campaign is identified in the source material.