CVE-2026-24060
Published: 21 March 2026
Summary
CVE-2026-24060 is a critical-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Automatedlogic (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SC-13 (Cryptographic Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-8 directly requires protection of the confidentiality and integrity of transmitted information, comprehensively mitigating the unencrypted BACnet packets vulnerable to sniffing, interception, and modification.
SC-7 enforces boundary protection and traffic restrictions that can segment BACnet networks, limiting network-adjacent attacker access to sniff or tamper with traffic.
SC-13 implements cryptographic mechanisms that support encryption of BACnet communications to address cleartext transmission of sensitive service information.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unencrypted BACnet traffic directly enables passive network sniffing (T1040) to capture sensitive service data and supports active interception/modification of packets (T1557).
NVD Description
Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic…
more
using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered.
Deeper analysisAI
CVE-2026-24060, published on 2026-03-21, is a critical vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) involving unencrypted transmission of service information in BACnet packets over the network. This flaw, tied to CWE-319 (Cleartext Transmission of Sensitive Information), affects systems using WebCTRL to receive updates from PLCs, where data such as File Start Position and File Data is exposed in plain text.
Any network-adjacent attacker can exploit this vulnerability without privileges or user interaction by sniffing BACnet traffic with tools like Wireshark's BACnet dissector filter to capture sensitive service information. Attackers can also intercept and modify packets or reverse engineer the proprietary format used for WebCTRL-PLC updates, resulting in high confidentiality and integrity impacts such as data theft or tampering.
Advisories including CISA's ICSA-26-078-08 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08), the corresponding CSAF file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json), and Automated Logic's security commitment page (https://www.automatedlogic.com/en/company/security-commitment/) provide details on mitigation steps.
Details
- CWE(s)