Cyber Posture

CVE-2026-25086

High

Published: 21 March 2026

Published
21 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0002 6.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25086 is a high-severity Multiple Binds to the Same Port (CWE-605) vulnerability in Automatedlogic (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-41 Port and I/O Device Access good match
prevent

Directly restricts unauthorized processes from binding to the WebCTRL service port, preventing attackers from impersonating the service via malicious packet crafting.

IA-9 Service Identification and Authentication good match
prevent

Uniquely identifies and authenticates the WebCTRL service before connections, ensuring clients reject impersonated services even if an attacker binds to the same port.

SC-23 Session Authenticity good match
prevent

Verifies the authenticity of communications sessions with WebCTRL, blocking impersonation attempts by unauthorized entities bound to the service port.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
attack.mitre.org →
Why these techniques?

Vulnerability enables local binding to WebCTRL's port for service impersonation, directly facilitating interception or alteration of network communications (Adversary-in-the-Middle).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software.

Deeper analysisAI

CVE-2026-25086 is a vulnerability in the WebCTRL software that, under certain conditions, allows an attacker to bind to the same port used by WebCTRL. This enables the attacker to craft and send malicious packets, impersonating the WebCTRL service without requiring code injection into the software itself. Published on 2026-03-21, the issue carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-605.

An attacker with local access can exploit this vulnerability with low complexity and no privileges or user interaction required. Exploitation allows high-impact compromise of confidentiality and integrity, such as intercepting or altering communications by impersonating the legitimate WebCTRL service, while availability remains unaffected due to the unchanged scope.

Advisories providing mitigation guidance include CISA ICSA-26-078-08 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08, Automated Logic's security commitment page at https://www.automatedlogic.com/en/company/security-commitment/, and the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json.

Details

CWE(s)
CWE-605

Affected Products

Automatedlogic
inferred from references and description; NVD did not file a CPE for this CVE

References