LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-24060

CVE-2026-24060 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 21, 2026

WebCTRL - Man in the Middle

Published: March 21, 2026Updated: March 21, 2026Remote Exploitable

Overview

WebCTRL transmits BACnet packets without encryption, allowing attackers to sniff and modify sensitive service information like File Start Position and File Data over the network, exploit requires network access.

Severity & Score

Severity: Critical
CVSS Score: 9.1
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can intercept and modify sensitive BACnet service information, leading to information disclosure and data tampering.

Mitigation

Implement encryption for BACnet packet transmission or update to a version that secures network communications.

References

Social Media Activity(4 posts)

Offensive Sequence
Offensive Sequence
@offseq
Mar 21, 2026

CVE-2026-24060 (CRITICAL): WebCTRL Premium Server sends BACnet data in cleartext, risking interception & modification. No patch yet — segment OT networks & use VPNs for BACnet traffic. Monitor for sniffing, restrict access. Details: https://radar.offseq.com/threat/cve-2026-24060-cwe-319-in-automated-logic-webctrl--ad487a9d #OffSeq #ICS #Vuln #BACnet

View original post
BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Mar 20, 2026

Multiple Flaws Reported in Automated Logic WebCTRL Premium Server Automated Logic patched three vulnerabilities in its WebCTRL Premium Server, including a critical cleartext flaw (CVE-2026-24060), that allow attackers to intercept sensitive data and spoof commands in building automation systems. **If you are using Automated Logic WebCTRL, make sure it's isolated from the internet and your office network. Then plan a patch. Legacy versions 7.x will not be updated so plan an upgrade.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/multiple-flaws-reported-in-automated-logic-webctrl-premium-server-m-r-3-3-r/gD2P6Ple2L

View original post
Offensive Sequence
Offensive Sequence
@offseq
Mar 21, 2026

CVE-2026-24060 (CRITICAL): WebCTRL Premium Server sends BACnet data in cleartext, risking interception & modification. No patch yet — segment OT networks & use VPNs for BACnet traffic. Monitor for sniffing, restrict access. Details: https://radar.offseq.com/threat/cve-2026-24060-cwe-319-in-automated-logic-webctrl--ad487a9d #OffSeq #ICS #Vuln #BACnet

View original post
BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Mar 20, 2026

Multiple Flaws Reported in Automated Logic WebCTRL Premium Server Automated Logic patched three vulnerabilities in its WebCTRL Premium Server, including a critical cleartext flaw (CVE-2026-24060), that allow attackers to intercept sensitive data and spoof commands in building automation systems. **If you are using Automated Logic WebCTRL, make sure it's isolated from the internet and your office network. Then plan a patch. Legacy versions 7.x will not be updated so plan an upgrade.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/multiple-flaws-reported-in-automated-logic-webctrl-premium-server-m-r-3-3-r/gD2P6Ple2L

View original post

Related Resources

Details

CVE ID
CVE-2026-24060
Severity
Critical
CVSS Score
9.1
Type
man_in_the_middle
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-319

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days