Cyber Resilience

CVE-2026-20761

HighRCE

Published: 20 February 2026

Published
20 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0088 54.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20761 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-20761 is a command injection vulnerability (CWE-77) affecting EnOcean SmartServer IoT version 4.60.009 and prior. It resides in the handling of LON IP-852 management messages, where specially crafted IP-852 messages can be sent to trigger arbitrary OS command execution on the device. Published on 2026-02-20, the issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high impact on confidentiality, integrity, and availability despite requiring high attack complexity.

Remote, unauthenticated attackers can exploit this vulnerability over the network by transmitting malicious IP-852 messages via LON IP-852 channels. Successful exploitation enables arbitrary operating system command execution on the targeted SmartServer IoT device, allowing full control for potential persistence, data exfiltration, or lateral movement within operational technology (OT) and IoT networks.

Mitigation details are available in vendor and authority advisories, including EnOcean's SmartServer IoT Release Notes for the current stable release, security enhancement guidance, and CISA ICS Advisory ICSA-26-050-01 (with corresponding CSAF document). Practitioners should review these references for patching instructions, firmware updates, and recommended configurations to address the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Vulnerability enables remote exploitation of public-facing IoT management protocol (T1190) resulting in arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44869Shared CWE-77
CVE-2026-44866Shared CWE-77
CVE-2025-57685Shared CWE-77
CVE-2025-60021Shared CWE-77
CVE-2026-2333Shared CWE-77
CVE-2025-67728Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2024-54794Shared CWE-77
CVE-2025-60801Shared CWE-77
CVE-2025-55294Shared CWE-77

Affected Assets

EnOcean SmartServer IoT
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection vulnerability by validating IP-852 management message inputs to block specially crafted payloads leading to arbitrary OS command execution.

prevent

Remediates the specific flaw in EnOcean SmartServer IoT version 4.60.009 and prior through timely application of vendor firmware updates and patches as advised in release notes and CISA ICSA-26-050-01.

prevent

Mitigates exposure by enforcing least functionality to disable or restrict unnecessary LON IP-852 management channels on the IoT device.

References