Critical Port Binding & Authentication Bypass in Automated Logic WebCTRL Premium Server (CVE‑2026‑25086) Threatens Building Management Systems
What It Is – A set of critical flaws in Automated Logic’s WebCTRL Premium Server (pre‑v8.5) allow an attacker to bind to the same network port used by the controller, spoof the service, bypass authentication, and read or modify clear‑text control traffic.
Exploitability – The vulnerabilities are publicly disclosed, have a CVSS v3.1 score of 9.1 (Critical), and can be exploited without code injection, making remote exploitation feasible in typical deployment scenarios. No public PoC is required; the attack leverages standard networking behavior.
Affected Products – Automated Logic WebCTRL Premium Server < v8.5 (all versions prior to the latest release).
TPRM Impact –
- Potential manipulation of HVAC, lighting, fire‑safety, and security systems in commercial facilities worldwide.
- Exposure of operational data (e.g., building occupancy, energy usage) that can be harvested or altered.
- Supply‑chain ripple effects for tenants, facility‑management firms, and third‑party service providers that rely on the platform.
Recommended Actions –
- Upgrade immediately to WebCTRL 8.5 or later, which implements secure BACnet/SC and mitigates the port‑binding issue.
- Segment network traffic: isolate the WebCTRL server on a dedicated VLAN and restrict inbound access to trusted management IPs.
- Monitor for anomalous traffic on the WebCTRL ports (e.g., duplicate SYN packets, unexpected source MACs).
- Engage Automated Logic support to verify patch deployment and obtain hardening guidance.
- Review third‑party contracts to ensure vendors have applied the remediation and can attest to secure configurations.
Source: CISA Advisory – ICSA‑26‑078‑08