CVE-2026-32666 WebCTRL — Exploit & Vulnerability Details HIGH

CVE-2026-32666

HIGH CVSS 3.1: 7.5 EPSS 0.07%

Parameter	Value
CVSS	7.5 (HIGH)
Type	CWE-290
Vendor	WebCTRL
Public PoC	No

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

High

Complete data modification

Availability

None

No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-290

References 3

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-0…

ics-cert@hq.dhs.gov

https://www.automatedlogic.com/en/company/security-commitment/

ics-cert@hq.dhs.gov

https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08

ics-cert@hq.dhs.gov

Share Post Share Share Share

Menu

CVE-2026-32666

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 3

CVE Details

Editor's Choice

Menu

CVE-2026-32666

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 3

CVE Details

Editor's Choice

Stay informed on cybersecurity