These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-32666 is a high-severity integrity issue in Automated Logic WebCTRL Premium Server <v8.5. CISA reports that WebCTRL systems communicating over BACnet do not add validation beyond BACnet’s weak network-layer trust model, so an attacker with network access could spoof BACnet packets to the WebCTRL server or associated controllers and have them accepted as legitimate.
CVE-2026-25086 is a high-severity issue in Automated Logic WebCTRL Premium Server < v8.5. According to the CISA advisory, under certain conditions an attacker can bind to the same port used by WebCTRL, then craft and send malicious packets while impersonating the WebCTRL service. The advisory says this does not require code injection into WebCTRL itself, which makes the trust and integrity impact especial [truncated]
CVE-2026-24060 affects Automated Logic WebCTRL Premium Server versions before 8.5. According to the CISA advisory published on 2026-03-19, service information sent as BACnet packets is not encrypted and can be sniffed, intercepted, and modified on the wire. The advisory also notes that file-related data and the proprietary PLC update format may be observed and reverse engineered from network traffic. This [truncated]