CVE-2026-22885 is a low-severity network-reachable issue in EnOcean SmartServer IoT version 4.60.009 and earlier. According to CISA’s advisory, a remote attacker can send specially crafted IP-852 management messages that cause a memory leak in the program’s memory. The advisory rates the issue as CVSS 3.1 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) and does not list it in CISA KEV.
CVE-2026-20761 is a high-severity remote command execution issue in EnOcean SmartServer IoT version 4.60.009 and earlier. According to the CISA advisory, a remote attacker can send specially crafted LON IP-852 management messages and trigger arbitrary OS command execution on the device. EnOcean’s listed remediation is to upgrade to SmartServer 4.6 Update 2 (v4.60.023) or later.
