CVE-2026-24060 is a vulnerability categorized under CWE-319 (Cleartext Transmission of Sensitive Information) affecting Automated Logic's WebCTRL Premium Server. The issue arises because BACnet packets, which carry service information including File Start Position and File Data, are transmitted over the network without encryption. Attackers with network access can use packet sniffing tools such as Wireshark with BACnet dissector filters to capture and analyze this traffic. This exposure allows attackers to glean sensitive operational details and potentially modify the intercepted data, compromising the integrity of communications between the WebCTRL server and PLCs. Additionally, the proprietary format used by WebCTRL for receiving updates from PLCs can be reverse engineered from the intercepted data, potentially enabling further attacks or unauthorized manipulation. The vulnerability requires no authentication or user interaction, making it exploitable by any attacker with network access to the BACnet traffic. The CVSS v3.1 base score is 9.1, reflecting the high impact on confidentiality and integrity with network attack vector and low attack complexity. No patches are currently listed, and no known exploits have been reported in the wild as of the publication date. This vulnerability primarily affects organizations using Automated Logic's WebCTRL Premium Server in their building automation and control systems, especially those relying on BACnet protocol communications.

The primary impact of CVE-2026-24060 is the exposure of sensitive operational data transmitted in cleartext over the network, which compromises confidentiality. Attackers can intercept and analyze BACnet packets to extract critical information such as file positions and data used in PLC updates. This can lead to unauthorized disclosure of system internals and potentially facilitate further attacks such as data manipulation or injection of malicious commands, thereby impacting data integrity. Although availability is not directly affected, the integrity compromise could lead to operational disruptions if attackers modify control data. The vulnerability is particularly severe because it requires no authentication or user interaction, making exploitation straightforward for anyone with network access. Organizations relying on WebCTRL for building automation, HVAC, or industrial control systems could face operational risks, regulatory compliance issues, and potential safety hazards if attackers leverage this vulnerability. The lack of encryption also increases the risk in environments where network segmentation or monitoring is insufficient.

To mitigate CVE-2026-24060, organizations should implement network-level protections to prevent unauthorized access to BACnet traffic. This includes strict network segmentation to isolate building automation systems from general IT networks and the internet. Deploying Virtual Private Networks (VPNs) or secure tunnels such as IPsec for BACnet communications can encrypt traffic and prevent sniffing. Monitoring network traffic for unusual BACnet packet patterns or unexpected modifications can help detect exploitation attempts. Where possible, upgrading to versions of WebCTRL that implement encryption or secure communication protocols should be prioritized once available. Additionally, applying strict access controls and limiting physical and logical access to network segments carrying BACnet traffic reduces exposure. Organizations should also engage with Automated Logic for patches or security advisories and consider compensating controls such as intrusion detection systems tailored for industrial protocols. Regular security assessments and penetration testing focusing on building automation networks can identify weaknesses related to this vulnerability.