Cyber Resilience

CVE-2026-32666

High

Published: 21 March 2026

Published
21 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0008 23.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32666 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Automatedlogic (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-32666 is a vulnerability in WebCTRL systems that communicate over BACnet, published on 2026-03-21. These systems inherit BACnet's lack of network layer authentication, and WebCTRL does not implement additional validation of BACnet traffic. As a result, an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers, with spoofed packets potentially processed as legitimate. The issue is classified under CWE-290 (Authentication Bypass by Spoofing) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

An unauthenticated attacker with network access to the affected systems can exploit this vulnerability with low complexity and no user interaction required. Exploitation involves crafting and sending spoofed BACnet packets, which the WebCTRL server or AutomatedLogic controllers may accept and process as authentic, leading to integrity violations such as unauthorized commands or data manipulation within the building automation environment.

Advisories provide further details on mitigation. CISA's ICSA-26-078-08, accessible at https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08 and in CSAF format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json, addresses the issue. AutomatedLogic's security commitment page at https://www.automatedlogic.com/en/company/security-commitment/ offers related guidance.

EU & UK References

Vulnerability details

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or…

more

associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Vulnerability enables network exploitation of BACnet/WebCTRL remote service via spoofed unauthenticated packets (CWE-290), directly mapping to remote service exploitation and public-facing app abuse for command/data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-55925Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2026-33131Shared CWE-290
CVE-2026-24372Shared CWE-290
CVE-2025-27671Shared CWE-290
CVE-2026-24853Shared CWE-290
CVE-2026-30975Shared CWE-290
CVE-2026-31889Shared CWE-290
CVE-2026-40575Shared CWE-290
CVE-2025-11250Shared CWE-290

Affected Assets

Automatedlogic
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of incoming BACnet traffic to detect and reject spoofed packets that lack proper authentication.

prevent

Protects the authenticity of BACnet communication sessions, preventing spoofed packets from being processed as legitimate by WebCTRL or controllers.

prevent

Monitors and controls communications at network boundaries to restrict BACnet traffic to trusted sources, blocking attacker access for spoofing.

References