CVE-2026-32666 HIGH

CVE-2026-32666: Automated Logic WebCTRL Premium Server Authentication Bypass by Spoofing

Vendor Automated Logic
Product WebCTRL Premium Server
Weakness CWE-290
Published March 20, 2026
Last update March 23, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 23, 2026 Record updated