CVE-2026-24060 (GCVE-0-2026-24060)

Vulnerability from cvelistv5 – Published: 2026-03-20 23:19 – Updated: 2026-03-23 15:55 Unsupported When Assigned
VLAI?
Title
Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information
Summary
Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet dissector filter. The proprietary format used by WebCTRL to receive updates from the PLC can also be sniffed and reverse engineered.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
Automated Logic WebCTRL Premium Server Affected: 0 , < v8.5 (custom)
Create a notification for this product.
Credits
Jonathan Lee, Thuy D. Nguyen, and Neil C. Rowe of the Naval Postgraduate School reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24060",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T14:49:21.420075Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-319",
                "description": "CWE-319 Cleartext Transmission of Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T15:55:53.047Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WebCTRL Premium Server",
          "vendor": "Automated Logic",
          "versions": [
            {
              "lessThan": "v8.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jonathan Lee, Thuy D. Nguyen, and Neil C. Rowe of the Naval Postgraduate School reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Service information is not encrypted when transmitted as BACnet packets \nover the wire, and can be sniffed, intercepted, and modified by an \nattacker. Valuable information such as the File Start Position and File \nData can be sniffed from network traffic using Wireshark\u0027s BACnet \ndissector filter. The proprietary format used by WebCTRL to receive \nupdates from the PLC can also be sniffed and reverse engineered."
            }
          ],
          "value": "Service information is not encrypted when transmitted as BACnet packets \nover the wire, and can be sniffed, intercepted, and modified by an \nattacker. Valuable information such as the File Start Position and File \nData can be sniffed from network traffic using Wireshark\u0027s BACnet \ndissector filter. The proprietary format used by WebCTRL to receive \nupdates from the PLC can also be sniffed and reverse engineered."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T23:19:05.223Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.automatedlogic.com/en/company/security-commitment/"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Automated Logic notes that WebCTRL 7 is end of life and has been \nout of support since January 27, 2023. Users are advised to upgrade to \nthe latest version of the WebCTRL server application, which supports the\n more secure BACnet/SC."
            }
          ],
          "value": "Automated Logic notes that WebCTRL 7 is end of life and has been \nout of support since January 27, 2023. Users are advised to upgrade to \nthe latest version of the WebCTRL server application, which supports the\n more secure BACnet/SC."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "For users of supported versions of WebCTRL (WebCTRL 8.5 \ncumulative releases and later), Automated Logic provides secure \nconfiguration guidance for hardware and software deployments; BACnet \nSecure Connect (BACnet/SC) support, which introduces TLS encryption and \nmutual authentication; and published best practices for network \nsegmentation, access control, and secure protocol implementation. \nAdditional information is available at:\u0026nbsp;\u003cbr\u003e\u003ca href=\"https://www.automatedlogic.com/en/company/security-commitment/\" title=\"(opens in a new window)\"\u003ehttps://www.automatedlogic.com/en/company/security-commitment/\u003c/a\u003e"
            }
          ],
          "value": "For users of supported versions of WebCTRL (WebCTRL 8.5 \ncumulative releases and later), Automated Logic provides secure \nconfiguration guidance for hardware and software deployments; BACnet \nSecure Connect (BACnet/SC) support, which introduces TLS encryption and \nmutual authentication; and published best practices for network \nsegmentation, access control, and secure protocol implementation. \nAdditional information is available at:\u00a0\n https://www.automatedlogic.com/en/company/security-commitment/"
        }
      ],
      "source": {
        "advisory": "ICSA-26-078-08",
        "discovery": "EXTERNAL"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-24060",
    "datePublished": "2026-03-20T23:19:05.223Z",
    "dateReserved": "2026-03-12T19:57:03.348Z",
    "dateUpdated": "2026-03-23T15:55:53.047Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24060\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2026-03-21T00:16:25.483\",\"lastModified\":\"2026-03-23T16:16:43.553\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[{\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"unsupported-when-assigned\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Service information is not encrypted when transmitted as BACnet packets \\nover the wire, and can be sniffed, intercepted, and modified by an \\nattacker. Valuable information such as the File Start Position and File \\nData can be sniffed from network traffic using Wireshark\u0027s BACnet \\ndissector filter. The proprietary format used by WebCTRL to receive \\nupdates from the PLC can also be sniffed and reverse engineered.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]}],\"references\":[{\"url\":\"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.automatedlogic.com/en/company/security-commitment/\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2026-03-20T23:19:05.223Z\"}, \"title\": \"Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information\", \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-319\", \"description\": \"CWE-319\", \"type\": \"CWE\"}]}], \"affected\": [{\"vendor\": \"Automated Logic\", \"product\": \"WebCTRL Premium Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"v8.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Service information is not encrypted when transmitted as BACnet packets \\nover the wire, and can be sniffed, intercepted, and modified by an \\nattacker. Valuable information such as the File Start Position and File \\nData can be sniffed from network traffic using Wireshark\u0027s BACnet \\ndissector filter. The proprietary format used by WebCTRL to receive \\nupdates from the PLC can also be sniffed and reverse engineered.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"Service information is not encrypted when transmitted as BACnet packets \\nover the wire, and can be sniffed, intercepted, and modified by an \\nattacker. Valuable information such as the File Start Position and File \\nData can be sniffed from network traffic using Wireshark\u0027s BACnet \\ndissector filter. The proprietary format used by WebCTRL to receive \\nupdates from the PLC can also be sniffed and reverse engineered.\"}]}], \"tags\": [\"unsupported-when-assigned\"], \"references\": [{\"url\": \"https://www.automatedlogic.com/en/company/security-commitment/\"}, {\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json\"}], \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV3_1\": {\"version\": \"3.1\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"baseSeverity\": \"CRITICAL\", \"baseScore\": 9.1, \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\"}}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Automated Logic notes that WebCTRL 7 is end of life and has been \\nout of support since January 27, 2023. Users are advised to upgrade to \\nthe latest version of the WebCTRL server application, which supports the\\n more secure BACnet/SC.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"Automated Logic notes that WebCTRL 7 is end of life and has been \\nout of support since January 27, 2023. Users are advised to upgrade to \\nthe latest version of the WebCTRL server application, which supports the\\n more secure BACnet/SC.\"}]}, {\"lang\": \"en\", \"value\": \"For users of supported versions of WebCTRL (WebCTRL 8.5 \\ncumulative releases and later), Automated Logic provides secure \\nconfiguration guidance for hardware and software deployments; BACnet \\nSecure Connect (BACnet/SC) support, which introduces TLS encryption and \\nmutual authentication; and published best practices for network \\nsegmentation, access control, and secure protocol implementation. \\nAdditional information is available at:\\u00a0\\n https://www.automatedlogic.com/en/company/security-commitment/\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"For users of supported versions of WebCTRL (WebCTRL 8.5 \\ncumulative releases and later), Automated Logic provides secure \\nconfiguration guidance for hardware and software deployments; BACnet \\nSecure Connect (BACnet/SC) support, which introduces TLS encryption and \\nmutual authentication; and published best practices for network \\nsegmentation, access control, and secure protocol implementation. \\nAdditional information is available at:\u0026nbsp;\u003cbr\u003e\u003ca href=\\\"https://www.automatedlogic.com/en/company/security-commitment/\\\" title=\\\"(opens in a new window)\\\"\u003ehttps://www.automatedlogic.com/en/company/security-commitment/\u003c/a\u003e\"}]}], \"credits\": [{\"lang\": \"en\", \"value\": \"Jonathan Lee, Thuy D. Nguyen, and Neil C. Rowe of the Naval Postgraduate School reported this vulnerability to CISA.\", \"type\": \"finder\"}], \"source\": {\"advisory\": \"ICSA-26-078-08\", \"discovery\": \"EXTERNAL\"}, \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24060\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T14:49:21.420075Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-319\", \"description\": \"CWE-319 Cleartext Transmission of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T14:49:11.001Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24060\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"icscert\", \"dateReserved\": \"2026-03-12T19:57:03.348Z\", \"datePublished\": \"2026-03-20T23:19:05.223Z\", \"dateUpdated\": \"2026-03-23T15:55:53.047Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.