claroty.com
Critical Vulnerabilities in EnOcean SmartServer Expose Building Management Systems to Attacks
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Two critical vulnerabilities, CVE-2026-20761 and CVE-2026-22885, were discovered in EnOcean's SmartServer IoT platform, affecting versions 4.60.009 and earlier. CVE-2026-20761 allows remote attackers to execute arbitrary commands on devices via crafted LON IP-852 messages, with a CVSS score of 8.1. CVE-2026-22885 enables attackers to bypass ASLR protections and leak memory, scoring 3.7 on the CVSS scale. Successful exploitation of these vulnerabilities could grant attackers full control over building management systems and legacy i.LON devices, impacting critical infrastructure such as HVAC and power systems. EnOcean has released mitigations and recommends users update to SmartServer 4.6 Update 2 (v4.60.023). The vulnerabilities were published on February 20, 2026, and pose significant risks to facilities using affected systems. The research highlights the dangers of legacy protocols being retrofitted for modern IoT applications.
Key Points: • CVE-2026-20761 allows remote code execution on EnOcean devices without prior authentication. • CVE-2026-22885 can leak memory and bypass ASLR protections, increasing attack vectors. • EnOcean recommends immediate software updates to mitigate these vulnerabilities.