Project Brainfog, conducted by researcher Gjoko Krstic, uncovered hundreds of zero-day vulnerabilities in a legacy building automation codebase that has been in use for approximately 18 years. This codebase underpins smart building systems controlling critical infrastructure in hospitals, schools, offices, and other facilities worldwide. The vulnerabilities span a wide range of security issues, potentially allowing attackers to gain unauthorized access, manipulate building controls, disrupt operations, or exfiltrate sensitive data. The age of the codebase suggests that it was developed before modern secure coding practices and threat models were widely adopted, resulting in systemic weaknesses. Although no public patches or fixes have been released yet, and no active exploits have been observed, the exposure of these vulnerabilities highlights a significant risk to operational technology environments. The affected systems are often integrated into critical infrastructure, making them attractive targets for attackers seeking to cause disruption or gain strategic advantages. The lack of detailed affected versions and absence of CVSS scores complicate precise risk quantification, but the medium severity assigned by the source likely reflects the potential for impactful attacks if exploited. The vulnerabilities may not require authentication or user interaction, increasing the ease of exploitation. The research underscores the urgent need for modernization and security hardening of building automation systems.

For European organizations, the impact of these vulnerabilities could be severe, particularly in sectors such as healthcare, education, and corporate facilities where building automation controls critical environmental and safety systems. Exploitation could lead to unauthorized manipulation of HVAC, lighting, access control, and safety alarms, potentially endangering occupant safety and disrupting essential services. Confidentiality breaches could expose sensitive operational data or personal information. Integrity attacks might alter system configurations or disable safety mechanisms, while availability impacts could cause outages or denial of service in critical facilities. Given the integration of these systems with broader IT and OT networks, a successful attack could serve as a foothold for lateral movement and further compromise. The widespread deployment across Europe means many organizations may be unknowingly vulnerable, increasing the risk of coordinated or opportunistic attacks. The lack of known exploits currently provides a window for proactive mitigation, but the threat remains significant due to the systemic nature of the vulnerabilities and the criticality of affected environments.

European organizations should immediately conduct comprehensive security audits of their building automation systems, focusing on identifying legacy components related to the exposed codebase. Network segmentation should be enforced to isolate building automation networks from corporate IT and internet-facing systems, reducing attack surface and lateral movement potential. Deploying strict access controls and multi-factor authentication for management interfaces can limit unauthorized access. Monitoring and anomaly detection tailored to OT environments should be enhanced to detect suspicious activities early. Where possible, organizations should engage with vendors or security researchers to obtain patches or mitigations, or consider upgrading to modern, secure building automation platforms. Incident response plans should be updated to include scenarios involving building automation system compromise. Additionally, organizations should raise awareness among facility management and IT teams about the risks and encourage collaboration to address these vulnerabilities holistically. Given the absence of official patches, compensating controls such as virtual patching via firewalls and intrusion prevention systems should be implemented.