CVE-2025-0657 is a vulnerability identified in Automated Logic's WebCtrl and Carrier's i-Vu Gen5 routers, specifically in driver version drv_gen5_106-01-2380. The root cause is improper validation of array indices (CWE-129) when processing BACnet MS/TP protocol packets. BACnet MS/TP is a widely used protocol in building automation systems for communication between devices such as HVAC controllers, lighting, and security systems. The vulnerability allows an attacker to send specially crafted malformed packets over the BACnet MS/TP network, which triggers an out-of-bounds array access or similar memory corruption condition. This causes the device to enter a fault state, effectively disconnecting it from the network and disabling its functionality. Recovery requires a manual power cycle, indicating that the fault state is persistent and cannot be resolved remotely. The CVSS 4.0 score of 8.8 reflects the high impact on availability (VC:H), low impact on confidentiality and integrity, no required privileges or user interaction, and the ability to exploit remotely over the network. No patches or fixes have been published yet, and no known exploits are reported in the wild, but the vulnerability poses a significant risk to operational continuity in environments relying on these devices. The vulnerability also relates to CWE-248 (Uncaught Exception), suggesting that the device software does not properly handle unexpected conditions triggered by malformed input. Given the critical role of these devices in building management, exploitation could disrupt HVAC, lighting, and other essential services.

For European organizations, the primary impact is on the availability and reliability of building automation systems that use Automated Logic WebCtrl or Carrier i-Vu Gen5 routers. Disruption of these systems can lead to loss of environmental controls such as heating, ventilation, air conditioning, and lighting, which can affect occupant comfort, safety, and energy efficiency. In critical infrastructure facilities, hospitals, data centers, and large commercial buildings, such outages could have cascading effects on operations and safety compliance. The requirement for manual power cycling means that remote recovery is not possible, increasing downtime and operational costs. Additionally, attackers could leverage this vulnerability as part of a broader attack to cause physical disruption or to create entry points for further network intrusion. The lack of authentication or user interaction for exploitation increases the risk, especially in environments where BACnet MS/TP networks are accessible or insufficiently segmented. European organizations with extensive building automation deployments are therefore at risk of operational interruptions and potential safety hazards.

1. Immediately segment BACnet MS/TP networks from general IT networks and restrict access to trusted devices only. 2. Implement network monitoring and anomaly detection specifically for BACnet traffic to identify malformed or suspicious packets early. 3. Establish manual recovery procedures and ensure facility staff are trained to perform power cycles safely and promptly if devices enter a fault state. 4. Coordinate with Automated Logic and Carrier for timely release and deployment of patches or firmware updates once available. 5. Consider deploying network-level protections such as BACnet-aware firewalls or protocol gateways that can validate packet integrity before forwarding. 6. Conduct regular audits of building automation network architecture to minimize exposure and ensure compliance with security best practices. 7. Maintain an inventory of affected devices and prioritize their protection in critical facilities. 8. Engage with vendors for potential workarounds or configuration changes that may mitigate the vulnerability until patches are released.