Cyber Resilience

CVE-2026-24060

Critical

Published: 21 March 2026

Published
21 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0020 9.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24060 is a critical-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Automatedlogic (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2026-24060, published on 2026-03-21, is a critical vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) involving unencrypted transmission of service information in BACnet packets over the network. This flaw, tied to CWE-319 (Cleartext Transmission of Sensitive Information), affects systems using WebCTRL to receive updates from PLCs, where data such as File Start Position and File Data is exposed in plain text.

Any network-adjacent attacker can exploit this vulnerability without privileges or user interaction by sniffing BACnet traffic with tools like Wireshark's BACnet dissector filter to capture sensitive service information. Attackers can also intercept and modify packets or reverse engineer the proprietary format used for WebCTRL-PLC updates, resulting in high confidentiality and integrity impacts such as data theft or tampering.

Advisories including CISA's ICSA-26-078-08 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08), the corresponding CSAF file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json), and Automated Logic's security commitment page (https://www.automatedlogic.com/en/company/security-commitment/) provide details on mitigation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic…

more

using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Unencrypted BACnet traffic directly enables passive network sniffing (T1040) to capture sensitive service data and supports active interception/modification of packets (T1557).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-34271Shared CWE-319
CVE-2025-64769Shared CWE-319
CVE-2026-24212Shared CWE-319
CVE-2020-36917Shared CWE-319
CVE-2026-5115Shared CWE-319
CVE-2020-36914Shared CWE-319
CVE-2026-31923Shared CWE-319
CVE-2025-67159Shared CWE-319
CVE-2025-13718Shared CWE-319
CVE-2026-30796Shared CWE-319

Affected Assets

Automatedlogic
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-8 directly requires protection of the confidentiality and integrity of transmitted information, comprehensively mitigating the unencrypted BACnet packets vulnerable to sniffing, interception, and modification.

prevent

SC-7 enforces boundary protection and traffic restrictions that can segment BACnet networks, limiting network-adjacent attacker access to sniff or tamper with traffic.

prevent

SC-13 implements cryptographic mechanisms that support encryption of BACnet communications to address cleartext transmission of sensitive service information.

References