CVE-2025-0657 identifies a critical vulnerability in Automated Logic's WebCtrl and Carrier's i-Vu Gen5 router devices running driver version drv_gen5_106-01-2380. The root cause is improper validation of array indexes (CWE-129), which allows specially crafted BACnet MS/TP packets to cause the device firmware to access invalid memory locations. This leads the device to enter a fault state where it becomes unresponsive on the network. Recovery from this state requires a manual power cycle, as the device does not self-recover. The vulnerability is exploitable remotely over the BACnet MS/TP protocol without any authentication or user interaction, making it highly accessible to attackers with network access. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N) reflects network attack vector, low complexity, no privileges or user interaction needed, and high impact on confidentiality, with limited impact on integrity and availability. Although no public exploits are known, the potential for denial of service and operational disruption in building automation systems is significant. The affected products are widely used in smart building and industrial control environments, where continuous availability is critical. The vulnerability also relates to CWE-248, indicating improper handling of exceptional conditions, which compounds the risk of device failure. No patches have been published yet, so mitigation relies on network controls and monitoring.

The primary impact of CVE-2025-0657 is operational disruption due to denial of service. Affected devices enter a fault state and become unreachable on the network, requiring manual intervention to restore functionality. For European organizations, especially those managing critical infrastructure, commercial buildings, or industrial facilities using Automated Logic WebCtrl or Carrier i-Vu Gen5 systems, this can lead to significant downtime, loss of control over HVAC, lighting, or security systems, and potential safety risks. The vulnerability also poses a risk to confidentiality, as indicated by the CVSS vector, suggesting that malformed packets could potentially expose sensitive information or allow attackers to infer system states. The ease of exploitation without authentication increases the threat surface, particularly in environments where BACnet MS/TP networks are accessible or insufficiently segmented. Disruption of building automation systems can have cascading effects on energy management, occupant comfort, and emergency response capabilities. The lack of automatic recovery means that attacks can cause prolonged outages until physical access is possible. This vulnerability could also be leveraged as part of a broader attack targeting industrial control systems in Europe, where smart building technologies are increasingly integrated with operational technology networks.

Given the absence of an official patch, European organizations should implement immediate network-level mitigations. First, segment BACnet MS/TP networks from general IT and internet-facing networks using VLANs and firewalls to restrict access to trusted devices only. Deploy deep packet inspection or protocol-aware filtering to detect and block malformed BACnet packets that could exploit the vulnerability. Monitor network traffic for unusual BACnet MS/TP activity or device fault states to enable rapid incident response. Establish physical security controls to ensure quick access for manual power cycling if devices enter a fault state. Engage with Automated Logic and Carrier for updates on patch availability and apply firmware updates promptly once released. Conduct regular vulnerability assessments and penetration testing focused on building automation systems to identify exposure. Additionally, consider deploying intrusion detection systems tailored for industrial protocols to detect exploitation attempts. Document and rehearse incident response procedures specific to building management system outages to minimize downtime. Finally, review and update asset inventories to identify all affected devices across facilities.