Critical Vulnerabilities in EnOcean SmartServer Expose Building Management Systems to Attacks

Critical Vulnerabilities in EnOcean SmartServer Expose Building Management Systems to Attacks

First seen 30 Apr 2026, 13:56 UTC Industrialcyber.Coclaroty.comScworld 89% similarity 72.0

Article Content

Browse articles
ThreatCluster

Two critical vulnerabilities, CVE-2026-20761 and CVE-2026-22885, were discovered in EnOcean's SmartServer IoT platform, affecting versions 4.60.009 and earlier. CVE-2026-20761 allows remote attackers to execute arbitrary commands on devices via crafted LON IP-852 messages, with a CVSS score of 8.1. CVE-2026-22885 enables attackers to bypass ASLR protections and leak memory, scoring 3.7 on the CVSS scale. Successful exploitation of these vulnerabilities could grant attackers full control over building management systems and legacy i.LON devices, impacting critical infrastructure such as HVAC and power systems. EnOcean has released mitigations and recommends users update to SmartServer 4.6 Update 2 (v4.60.023). The vulnerabilities were published on February 20, 2026, and pose significant risks to facilities using affected systems. The research highlights the dangers of legacy protocols being retrofitted for modern IoT applications.

Key Points: • CVE-2026-20761 allows remote code execution on EnOcean devices without prior authentication. • CVE-2026-22885 can leak memory and bypass ASLR protections, increasing attack vectors. • EnOcean recommends immediate software updates to mitigate these vulnerabilities.

ThreatCluster AI

Timeline

2026-02-20
CVE-2026-20761 and CVE-2026-22885 published
2026-04-30
Claroty reports on vulnerabilities and recommends updates
2026-04-30
EnOcean issues mitigations for identified vulnerabilities

Community

Browse all →