CVE-2026-32666
Published: 21 March 2026
Summary
CVE-2026-32666 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Automatedlogic (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-32666 is a vulnerability in WebCTRL systems that communicate over BACnet, published on 2026-03-21. These systems inherit BACnet's lack of network layer authentication, and WebCTRL does not implement additional validation of BACnet traffic. As a result, an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers, with spoofed packets potentially processed as legitimate. The issue is classified under CWE-290 (Authentication Bypass by Spoofing) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
An unauthenticated attacker with network access to the affected systems can exploit this vulnerability with low complexity and no user interaction required. Exploitation involves crafting and sending spoofed BACnet packets, which the WebCTRL server or AutomatedLogic controllers may accept and process as authentic, leading to integrity violations such as unauthorized commands or data manipulation within the building automation environment.
Advisories provide further details on mitigation. CISA's ICSA-26-078-08, accessible at https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08 and in CSAF format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json, addresses the issue. AutomatedLogic's security commitment page at https://www.automatedlogic.com/en/company/security-commitment/ offers related guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13861
Vulnerability details
WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or…
more
associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables network exploitation of BACnet/WebCTRL remote service via spoofed unauthenticated packets (CWE-290), directly mapping to remote service exploitation and public-facing app abuse for command/data manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of incoming BACnet traffic to detect and reject spoofed packets that lack proper authentication.
Protects the authenticity of BACnet communication sessions, preventing spoofed packets from being processed as legitimate by WebCTRL or controllers.
Monitors and controls communications at network boundaries to restrict BACnet traffic to trusted sources, blocking attacker access for spoofing.