Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32666

CVE-2026-32666: WebCTRL BACnet Auth Bypass Vulnerability

CVE-2026-32666 is an authentication bypass flaw in WebCTRL BACnet protocol that allows attackers to spoof packets without authentication. This article covers the technical details, affected systems, and mitigation steps.

Published: March 27, 2026

CVE-2026-32666 Overview

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic, allowing an attacker with network access to spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate, enabling unauthorized manipulation of building automation systems.

Critical Impact

Attackers with network access can spoof BACnet packets to manipulate building automation controllers, potentially compromising HVAC, lighting, and access control systems without authentication.

Affected Products

  • WebCTRL Building Automation System
  • AutomatedLogic Controllers (BACnet-enabled)
  • BACnet-connected Building Management Systems

Discovery Timeline

  • 2026-03-21 - CVE CVE-2026-32666 published to NVD
  • 2026-03-23 - Last updated in NVD database

Technical Details for CVE-2026-32666

Vulnerability Analysis

This vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing), which occurs when the product does not properly authenticate packets before processing them. The BACnet protocol, widely used in building automation and control networks, was designed without native network layer authentication mechanisms. WebCTRL, a building automation system developed by Automated Logic, inherits this fundamental protocol weakness and does not implement compensating controls to validate the authenticity of incoming BACnet traffic.

The vulnerability enables attackers to craft and inject malicious BACnet packets that appear legitimate to the WebCTRL server and connected controllers. Since no cryptographic verification or source validation is performed, these spoofed packets are processed as if they originated from authorized sources.

Root Cause

The root cause of this vulnerability stems from the BACnet protocol's design, which lacks built-in authentication at the network layer. WebCTRL's implementation does not add supplementary validation mechanisms to compensate for this protocol-level deficiency. This architectural gap allows any network-accessible attacker to send arbitrary BACnet commands without proving their identity or authorization.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker positioned on the same network segment as the WebCTRL server or AutomatedLogic controllers can:

  1. Capture legitimate BACnet traffic to understand the communication patterns
  2. Craft spoofed BACnet packets targeting specific controllers or the WebCTRL server
  3. Inject these packets into the network, where they are accepted and processed as legitimate commands
  4. Manipulate building automation parameters such as temperature setpoints, access controls, lighting schedules, or alarm configurations

The attack can be executed remotely if the BACnet network is exposed to untrusted networks. The vulnerability allows high integrity impact, enabling attackers to modify critical building automation configurations without triggering authentication failures or alerts.

Detection Methods for CVE-2026-32666

Indicators of Compromise

  • Unexpected BACnet packets originating from unauthorized IP addresses or MAC addresses on the network
  • Configuration changes to building automation parameters without corresponding legitimate administrative actions
  • Anomalous BACnet traffic patterns, including unusual command sequences or communication with previously unseen source addresses
  • Log entries showing controller state changes that do not correlate with scheduled operations or user activity

Detection Strategies

  • Deploy network intrusion detection systems (IDS) with BACnet protocol awareness to identify anomalous or malformed packets
  • Implement network segmentation monitoring to detect unauthorized devices communicating over BACnet ports (UDP 47808)
  • Configure SIEM rules to correlate building automation configuration changes with authenticated administrative sessions
  • Monitor for BACnet traffic from unexpected network segments or external IP addresses

Monitoring Recommendations

  • Enable detailed logging on WebCTRL servers and AutomatedLogic controllers to capture all BACnet transactions
  • Establish baseline BACnet communication patterns and alert on deviations from normal traffic profiles
  • Implement real-time monitoring of critical building automation setpoints and configurations for unauthorized modifications
  • Consider deploying deep packet inspection (DPI) solutions capable of parsing BACnet/IP traffic

How to Mitigate CVE-2026-32666

Immediate Actions Required

  • Isolate BACnet networks from general IT networks using firewalls and VLANs with strict access control lists
  • Audit all network paths to BACnet infrastructure and remove unnecessary connectivity to untrusted networks
  • Implement network access control (NAC) to restrict which devices can communicate on BACnet network segments
  • Review and harden firewall rules to block BACnet traffic (UDP port 47808) from unauthorized sources

Patch Information

Consult Automated Logic's official security resources for available updates and guidance. Refer to the CISA ICS Advisory ICSA-26-078-08 for official vulnerability details and the Automated Logic Security Commitment page for vendor security information and potential patches.

Workarounds

  • Implement strict network segmentation to ensure BACnet traffic is confined to isolated, trusted network zones
  • Deploy a BACnet-aware firewall or application layer gateway to validate and filter incoming BACnet commands
  • Use VPN tunnels with strong authentication for any remote access to building automation networks
  • Consider implementing BACnet Secure Connect (BACnet/SC) where supported, which provides TLS-based authentication and encryption
  • Conduct regular security assessments of building automation infrastructure to identify and remediate exposure risks
bash
# Network segmentation example - iptables rules to restrict BACnet traffic
# Allow BACnet only from trusted management VLAN (192.168.10.0/24)
iptables -A INPUT -p udp --dport 47808 -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 47808 -j DROP

# Log dropped BACnet packets for monitoring
iptables -A INPUT -p udp --dport 47808 -j LOG --log-prefix "BACnet-BLOCKED: "

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechWebctrl
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-290
  • Technical References
  • GitHub CSAF JSON Document
  • Automated Logic Security Commitment
  • CISA ICS Advisory ICSA-26-078-08
  • Related CVEs
  • CVE-2026-25086: WebCTRL Auth Bypass Vulnerability
  • CVE-2025-14295: WebCTRL/i-Vu Password Storage Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English