Unrated severityNVD Advisory· Published Mar 20, 2026· Updated Mar 23, 2026

Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information

CVE-2026-24060

Description

Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered.

Affected products

Automated Logic/Webctrl Premium Serverv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.jsonmitre
www.automatedlogic.com/en/company/security-commitment/mitre
www.cisa.gov/news-events/ics-advisories/icsa-26-078-08mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000