CVE-2026-32666 is a high-severity integrity issue in Automated Logic WebCTRL Premium Server <v8.5. CISA reports that WebCTRL systems communicating over BACnet do not add validation beyond BACnet’s weak network-layer trust model, so an attacker with network access could spoof BACnet packets to the WebCTRL server or associated controllers and have them accepted as legitimate.
CVE-2026-25086 is a high-severity issue in Automated Logic WebCTRL Premium Server < v8.5. According to the CISA advisory, under certain conditions an attacker can bind to the same port used by WebCTRL, then craft and send malicious packets while impersonating the WebCTRL service. The advisory says this does not require code injection into WebCTRL itself, which makes the trust and integrity impact especial [truncated]
CVE-2026-24060 affects Automated Logic WebCTRL Premium Server versions before 8.5. According to the CISA advisory published on 2026-03-19, service information sent as BACnet packets is not encrypted and can be sniffed, intercepted, and modified on the wire. The advisory also notes that file-related data and the proprietary PLC update format may be observed and reverse engineered from network traffic. This [truncated]
CVE-2024-8528 is a publicly disclosed browser script-execution flaw in Automated Logic’s WebCTRL family. The CISA advisory says the wbs GET parameter is not sanitized and that untrusted data is included in a web page without proper validation or escaping, which can let an attacker cause malicious scripts to run in a user’s browser. Automated Logic reports the issue is remediated in Web CTRL 9.0; older Web [truncated]
CVE-2024-8527 is a critical open redirect issue in Automated Logic WebCTRL and related product lines. According to the CISA advisory published on 2025-11-20, the affected software could accept a user-supplied URL and redirect users without proper validation, creating risk for phishing, trust abuse, and security-control bypass. Automated Logic states the issue is remediated in Web CTRL 9.0, while several o [truncated]