CVE-2025-0658 is a vulnerability identified in Automated Logic and Carrier's Zone Controllers, which are devices used in building automation systems to control HVAC and other environmental parameters. The vulnerability arises from improper input validation (CWE-20) in the handling of BACnet protocol packets. Specifically, an attacker can send a crafted BACnet packet that causes the device to crash and enter a fault state. After the device is reset, a second malicious packet can cause the controller to become permanently unresponsive, requiring a manual power cycle to recover. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity, with an attack vector that is network-based (AV:N), no attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and no confidentiality, integrity, or availability impact beyond the availability impact (VA:H). This means an unauthenticated attacker can remotely cause a denial of service condition. The lack of patches at the time of disclosure means affected organizations must rely on mitigations such as network controls and monitoring. The vulnerability affects all versions listed as '0' which likely indicates all current versions or an unspecified version set. The BACnet protocol is widely used in building automation, making this vulnerability particularly relevant for facilities management and critical infrastructure sectors.

The primary impact of CVE-2025-0658 is denial of service on Automated Logic and Carrier Zone Controllers, which can disrupt HVAC and environmental controls in buildings. For European organizations, this could lead to operational downtime in commercial buildings, data centers, hospitals, and other critical facilities relying on these controllers. Disruptions could affect occupant comfort, safety, and potentially lead to secondary impacts such as overheating of equipment or failure of climate-sensitive processes. Since the vulnerability requires no authentication and can be exploited remotely, attackers could target multiple devices simultaneously, amplifying the impact. The need for manual power cycling to recover devices increases operational burden and response time. In sectors such as healthcare, manufacturing, and critical infrastructure, such disruptions could have significant economic and safety consequences. Additionally, the vulnerability could be leveraged as part of a broader attack campaign targeting building automation systems in Europe, especially in countries with high adoption of Automated Logic or Carrier products.

1. Implement strict network segmentation to isolate BACnet traffic from untrusted networks and the internet, limiting exposure of Zone Controllers. 2. Deploy network monitoring and intrusion detection systems capable of analyzing BACnet protocol traffic to detect anomalous or malformed packets indicative of exploitation attempts. 3. Establish incident response procedures including readiness for manual power cycling of affected devices to restore functionality promptly. 4. Engage with Automated Logic and Carrier for updates or patches and apply them as soon as they become available. 5. Restrict access to building automation networks using firewalls and VPNs with strong authentication to reduce attack surface. 6. Conduct regular security assessments and penetration testing focused on building automation systems to identify and remediate weaknesses. 7. Maintain an inventory of all Zone Controllers and their firmware versions to prioritize mitigation efforts. 8. Educate facility management and IT teams about this vulnerability and the importance of monitoring BACnet traffic and device status.