Cyber Posture

CVE-2026-21878

HighPublic PoC

Published: 13 February 2026

Published
13 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0011 28.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21878 is a high-severity Path Traversal (CWE-22) vulnerability in Bacnetstack Bacnet Stack. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
Why these techniques?

Remote unauthenticated path traversal enabling arbitrary file writes on a network-exposed BACnet service directly maps to exploitation of public-facing apps and ingress of tools/files.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to…

more

write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.

Deeper analysisAI

CVE-2026-21878 is a path traversal vulnerability (CWE-22) in the BACnet Stack, an open-source C library implementing the BACnet protocol for embedded systems. Prior to version 1.5.0.rc3, the file writing functionality lacks validation of user-provided file paths, allowing attackers to write files to arbitrary directories. The affected components are apps/readfile/main.c and ports/posix/bacfile-posix.c. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on 2026-02-13.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By supplying a specially crafted file path, they can write files to unintended directories on the target system, resulting in high integrity impact through unauthorized file modifications.

The vulnerability is fixed in BACnet Stack version 1.5.0.rc3. Mitigation involves updating to this release or later. Additional details are available in the GitHub security advisory at https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j and the patching commit at https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3.

Details

CWE(s)
CWE-22

Affected Products

bacnetstack
bacnet stack
1.5.0

CVEs Like This One

CVE-2026-41503Same product: Bacnetstack Bacnet Stack
CVE-2026-26264Same product: Bacnetstack Bacnet Stack
CVE-2026-41475Same product: Bacnetstack Bacnet Stack
CVE-2026-41502Same product: Bacnetstack Bacnet Stack
CVE-2026-39308Shared CWE-22
CVE-2026-7398Shared CWE-22
CVE-2026-27969Shared CWE-22
CVE-2026-41180Shared CWE-22
CVE-2026-32055Shared CWE-22
CVE-2026-23949Shared CWE-22

References