CVE-2026-24060 is a vulnerability classified under CWE-319 (Cleartext Transmission of Sensitive Information) affecting Automated Logic's WebCTRL Premium Server. The issue arises because service information transmitted over the network as BACnet packets is not encrypted, allowing attackers with network access to passively capture and analyze this data. Specifically, sensitive information such as File Start Position and File Data can be extracted using Wireshark's BACnet dissector filter. Additionally, the proprietary format used by WebCTRL to receive updates from programmable logic controllers (PLCs) can be sniffed and reverse engineered, potentially exposing update mechanisms and internal protocols. The vulnerability has a CVSS 3.1 base score of 9.1, reflecting its critical severity due to network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality and integrity (C:H/I:H/A:N). This means an attacker can exploit the vulnerability remotely without authentication or user interaction, leading to significant data exposure and potential manipulation. Although no public exploits have been reported yet, the vulnerability poses a serious risk to industrial control systems and building management systems relying on WebCTRL Premium Server. The lack of encryption in BACnet communications is a fundamental security weakness that can be exploited in environments where network segmentation or monitoring is insufficient. The vulnerability was published on March 20, 2026, and no patches or mitigations have been officially released by the vendor at the time of this report.

The impact of CVE-2026-24060 is substantial for organizations using Automated Logic WebCTRL Premium Server in their industrial control or building automation environments. Confidentiality is severely compromised as attackers can intercept sensitive configuration and update data transmitted in cleartext. Integrity is also at risk because intercepted packets can be modified, potentially allowing attackers to alter commands or updates sent to PLCs, leading to unauthorized control or disruption of critical systems. Although availability impact is not directly indicated, manipulation of control data could indirectly cause system malfunctions or downtime. The vulnerability enables remote attackers to exploit the system without authentication or user interaction, increasing the attack surface significantly. Organizations operating critical infrastructure such as energy, manufacturing, water treatment, and large commercial buildings could face operational disruptions, safety hazards, and regulatory compliance issues if this vulnerability is exploited. The ability to reverse engineer proprietary update formats further increases the risk of sophisticated attacks targeting the update mechanism or injecting malicious payloads. Overall, the vulnerability threatens the confidentiality and integrity of industrial control communications, which are vital for safe and reliable operations.

To mitigate CVE-2026-24060, organizations should implement the following specific measures: 1) Immediately segment and isolate networks running WebCTRL Premium Server and BACnet traffic to limit exposure to untrusted networks or users. 2) Deploy VPNs or secure tunneling protocols (e.g., IPsec, TLS) to encrypt BACnet communications over the network, compensating for the lack of native encryption. 3) Use network monitoring tools with BACnet protocol awareness to detect unusual traffic patterns or unauthorized sniffing attempts. 4) Restrict physical and logical access to network infrastructure and devices involved in BACnet communications to trusted personnel only. 5) Engage with Automated Logic for any available patches or firmware updates addressing this vulnerability and apply them promptly once released. 6) Consider implementing additional application-layer encryption or authentication mechanisms if supported by the control system architecture. 7) Conduct regular security assessments and penetration tests focusing on industrial control system networks to identify and remediate similar weaknesses. 8) Train operational technology (OT) staff on the risks of unencrypted protocols and best practices for securing control system communications. These measures go beyond generic advice by focusing on compensating controls for the protocol’s inherent lack of encryption and emphasizing network architecture hardening.