CVE-2026-24060 Overview
CVE-2026-24060 is a cleartext transmission vulnerability affecting BACnet-based building automation systems. Service information is not encrypted when transmitted as BACnet packets over the wire, allowing attackers to sniff, intercept, and modify network traffic. Valuable information such as the File Start Position and File Data can be captured from network traffic using Wireshark's BACnet dissector filter. Additionally, the proprietary format used by WebCTRL to receive updates from the PLC can be sniffed and reverse engineered, potentially exposing critical industrial control system communications.
Critical Impact
Unencrypted BACnet protocol communications enable network-based attackers to intercept and modify building automation system data without authentication, potentially compromising HVAC, lighting, and access control systems in critical facilities.
Affected Products
- BACnet-based Building Automation Controllers
- WebCTRL Building Automation Software
- PLC devices communicating via BACnet protocol
Discovery Timeline
- 2026-03-21 - CVE CVE-2026-24060 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-24060
Vulnerability Analysis
This vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information), representing a fundamental cryptographic weakness in the BACnet protocol implementation. The vulnerability exists because the BACnet protocol transmits service information in plaintext across network segments, with no encryption layer protecting the data in transit.
Building automation systems utilizing this protocol are particularly susceptible since BACnet was originally designed for local, trusted network environments. However, modern deployments often span larger network segments or integrate with enterprise IT infrastructure, dramatically increasing the attack surface. An attacker positioned on the network can passively collect sensitive operational data or actively manipulate control commands being sent to PLCs and other automation equipment.
The proprietary WebCTRL update mechanism adds another dimension to this vulnerability. Since the update format can be reverse engineered through packet analysis, attackers could potentially craft malicious update packages or modify legitimate updates in transit, leading to compromise of the building automation system.
Root Cause
The root cause is the absence of transport-layer encryption for BACnet protocol communications. The protocol transmits all service information, including file operations and PLC update data, in cleartext format. This design choice, while potentially intentional for legacy compatibility, fails to provide confidentiality or integrity protections for sensitive control system data traversing the network.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to the BACnet communication path can perform man-in-the-middle attacks by positioning themselves between BACnet devices. Using standard packet capture tools such as Wireshark with the BACnet dissector filter enabled, attackers can extract File Start Position, File Data, and other service information. The captured traffic can reveal system configurations, operational parameters, and the proprietary update format used by WebCTRL. This information enables attackers to forge malicious commands or inject modified data into the communication stream.
Detection Methods for CVE-2026-24060
Indicators of Compromise
- Unusual BACnet traffic patterns or unexpected source addresses communicating with building automation controllers
- ARP spoofing activity on network segments hosting BACnet devices
- Unrecognized devices appearing on OT network segments containing automation controllers
- Anomalous PLC update requests or configuration changes outside maintenance windows
Detection Strategies
- Deploy network intrusion detection systems (NIDS) with BACnet protocol analysis capabilities on OT network segments
- Monitor for ARP anomalies that could indicate man-in-the-middle positioning attempts
- Implement network traffic baselining to identify deviations in BACnet communication patterns
- Use SentinelOne Singularity XDR to correlate network anomalies with endpoint behavior on engineering workstations
Monitoring Recommendations
- Enable detailed logging of all BACnet device communications and configuration changes
- Monitor network switches for port mirroring configurations that were not administratively authorized
- Establish alerts for new MAC addresses appearing on protected OT network segments
- Review WebCTRL update logs for unexpected or unauthorized update activity
How to Mitigate CVE-2026-24060
Immediate Actions Required
- Segment BACnet networks from corporate IT networks using firewalls and VLANs
- Implement network access controls to restrict which systems can communicate with building automation controllers
- Deploy VPN or encrypted tunnels for any BACnet communications traversing untrusted network segments
- Conduct a network assessment to identify all BACnet-enabled devices and their communication paths
Patch Information
Refer to the CISA ICS Advisory ICSA-26-078-08 for the latest vendor remediation guidance. Organizations should also review the Automated Logic Security Commitment page for updates and security best practices. Additional technical details are available in the GitHub CSAF Document.
Workarounds
- Implement BACnet Secure Connect (BACnet/SC) where supported by devices to add TLS encryption
- Deploy network-level encryption using IPsec between BACnet network segments
- Restrict physical and logical access to network infrastructure carrying BACnet traffic
- Consider implementing application-layer firewalls capable of deep packet inspection for BACnet protocol filtering
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
