CVE-2026-22885 identifies a vulnerability in EnOcean Edge Inc's SmartServer IoT product, specifically versions 4.60.009 and earlier. The vulnerability arises from improper processing of LON IP-852 management messages, which are part of the LonWorks protocol used for building automation and IoT device communication. An attacker can send specially crafted IP-852 messages remotely to the SmartServer, triggering a memory leak due to an out-of-bounds read condition (CWE-125). This memory leak could potentially allow an attacker to glean sensitive information from the device's memory, compromising confidentiality. The vulnerability does not affect the integrity or availability of the system. The CVSS v3.1 base score is 3.7, reflecting low severity due to the high attack complexity, lack of required privileges, and no user interaction needed. The attack vector is network-based, meaning the attacker can exploit the vulnerability remotely without authentication. No patches or fixes have been released at the time of publication, and there are no known exploits in the wild. The affected product is commonly deployed in IoT environments for smart building and industrial automation, where LON IP-852 protocol is used for device management and communication.

The primary impact of this vulnerability is a memory leak that could lead to unauthorized disclosure of information from the device's memory, potentially exposing sensitive configuration or operational data. While the vulnerability does not allow direct control or disruption of the device, the information gained could aid attackers in further reconnaissance or subsequent attacks. Organizations relying on EnOcean SmartServer IoT for critical building automation or industrial control may face risks of data exposure, which could undermine operational security or privacy. Since the vulnerability does not affect system integrity or availability, it is less likely to cause immediate operational disruptions. However, in environments where confidentiality is paramount, such as government facilities, healthcare, or critical infrastructure, even low-severity leaks can have significant consequences. The lack of authentication requirements and remote exploitability increases the attack surface, especially if devices are exposed to untrusted networks or insufficiently segmented environments.

To mitigate this vulnerability, organizations should implement strict network segmentation to isolate EnOcean SmartServer IoT devices from untrusted or public networks, limiting exposure to potential attackers. Deploy firewall rules or access control lists (ACLs) to restrict inbound LON IP-852 traffic only to trusted management stations or networks. Monitor network traffic for anomalous or malformed IP-852 messages that could indicate exploitation attempts. Since no official patches are available, consider working with EnOcean Edge Inc to obtain updates or apply vendor-recommended workarounds as they become available. Conduct regular security assessments and penetration testing focused on IoT and building automation systems to identify and remediate similar vulnerabilities. Additionally, maintain an inventory of all IoT devices and ensure firmware is updated promptly when patches are released. Employ intrusion detection systems (IDS) capable of recognizing unusual LON protocol activity to provide early warning of exploitation attempts.