CVE-2021-40825
Description
nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
nLight ECLYPSE controllers before 1.17.21245.754 have a default key vulnerability allowing remote attackers to control lighting.
Vulnerability
nLight ECLYPSE (nECY) system controllers running software prior to version 1.17.21245.754 contain a default key vulnerability. The devices do not force a change to the key upon initial configuration, leaving the default key in place. This key is used to secure encrypted communications between the SensorView configuration software and nECY devices, as well as between nECY controllers themselves. The key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application [1].
Exploitation
A remote attacker with IP access to an affected nECY controller can exploit this vulnerability by leveraging the default key. No authentication or user interaction is required. The attacker can submit lighting control commands by communicating over the encrypted channel using the well-known default key. For systems connected to an IP network, network access is sufficient; standalone systems require physical access [1].
Impact
A successful attack allows the attacker to modify lighting conditions (e.g., turn lights on/off, adjust dimming) and potentially update the software on lighting devices connected to the nECY. However, the attacker cannot authenticate to or modify the configuration or software of the nECY system controller itself [1].
Mitigation
Acuity Brands released firmware version 1.17.21245.754 to address this vulnerability. Users should update affected devices to this version or later. If updating is not immediately possible, changing the default key (SensorView Password / Gateway Password) to a strong, unique value mitigates the risk [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nLight/ECLYPSE system Controllersdescription
- Range: <1.17.21245.754
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.