CVE-2026-24060 CRITICAL

CVE-2026-24060: Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information

Vendor Automated Logic
Product WebCTRL Premium Server
Weakness CWE-319 · Cleartext transmission
Published March 20, 2026
Last update March 23, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 23, 2026 Record updated