PatchSiren cyber security CVE debrief
CVE-2026-25086 Automated Logic CVE debrief
CVE-2026-25086 is a high-severity issue in Automated Logic WebCTRL Premium Server < v8.5. According to the CISA advisory, under certain conditions an attacker can bind to the same port used by WebCTRL, then craft and send malicious packets while impersonating the WebCTRL service. The advisory says this does not require code injection into WebCTRL itself, which makes the trust and integrity impact especially important in OT environments.
- Vendor
- Automated Logic
- Product
- WebCTRL Premium Server
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-19
- Original CVE updated
- 2026-03-19
- Advisory published
- 2026-03-19
- Advisory updated
- 2026-03-19
Who should care
OT/ICS operators running Automated Logic WebCTRL Premium Server versions earlier than 8.5 should prioritize this advisory, especially if the server runs on a host where local access controls are weak or where multiple services share the same system. Security and operations teams should also care if WebCTRL is relied on for trusted control traffic, monitoring, or supervisory functions.
Technical summary
The source material describes a local attack path (CVSS AV:L) in which an attacker can bind to WebCTRL's port and present themselves as the legitimate service. That enables malicious packet crafting and service impersonation without injecting code into WebCTRL. The advisory assigns CVSS 7.7 (HIGH) and indicates confidentiality and integrity impact. The remediation guidance points affected users toward supported releases and BACnet/SC, which adds TLS encryption and mutual authentication.
Defensive priority
High. Treat this as a priority OT server issue because service impersonation can undermine trusted communications and control-plane integrity. Focus first on upgrading unsupported or affected installations, then reduce local binding opportunity and harden the host and network around WebCTRL.
Recommended defensive actions
- Upgrade to the latest supported WebCTRL server application. Automated Logic states that WebCTRL 7 is end-of-life and has been out of support since 2023-01-27.
- For supported WebCTRL 8.5 cumulative releases and later, apply Automated Logic's secure configuration guidance, including BACnet/SC where supported.
- Use network segmentation and access control to limit who can reach or interact with the WebCTRL server and its services.
- Review host hardening and local access paths so untrusted users or processes cannot obtain the ability to bind to the WebCTRL port.
- Consult the CISA advisory ICSA-26-078-08 and the referenced Automated Logic security commitment guidance for product-specific defensive steps.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory for ICSA-26-078-08 / CVE-2026-25086, published and modified on 2026-03-19. The advisory text states that an attacker may bind to the same port used by WebCTRL and impersonate the service without code injection. Its remediation section states that WebCTRL 7 is end-of-life and recommends upgrading to supported versions, including 8.5 cumulative releases and later with BACnet/SC. The supplied metadata also includes SSVCv2 E:N/A:N/2026-03-18T06:00:00.000000Z and marks KEV as false in the provided enrichment.
Official resources
-
CVE-2026-25086 CVE record
CVE.org
-
CVE-2026-25086 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSA-26-078-08 on 2026-03-19, with the advisory revision history showing initial publication on that date. The supplied enrichment does not list this CVE in CISA KEV.