Critical Vulnerabilities in EnOcean SmartServer Expose Building Management Systems to Attacks

Severity: High (Score: 72.0)

Sources: Industrialcyber.Co, claroty.com

Summary

Two critical vulnerabilities, CVE-2026-20761 and CVE-2026-22885, were discovered in EnOcean's SmartServer IoT platform, affecting versions 4.60.009 and earlier. CVE-2026-20761 allows remote attackers to execute arbitrary commands on devices via crafted LON IP-852 messages, with a CVSS score of 8.1. CVE-2026-22885 enables attackers to bypass ASLR protections and leak memory, scoring 3.7 on the CVSS scale. Successful exploitation of these vulnerabilities could grant attackers full control over building management systems and legacy i.LON devices, impacting critical infrastructure such as HVAC and power systems. EnOcean has released mitigations and recommends users update to SmartServer 4.6 Update 2 (v4.60.023). The vulnerabilities were published on February 20, 2026, and pose significant risks to facilities using affected systems. The research highlights the dangers of legacy protocols being retrofitted for modern IoT applications. Key Points: • CVE-2026-20761 allows remote code execution on EnOcean devices without prior authentication. • CVE-2026-22885 can leak memory and bypass ASLR protections, increasing attack vectors. • EnOcean recommends immediate software updates to mitigate these vulnerabilities.

Key Entities

• Zero-day Exploit (attack_type)
• Echelon (company)
• EnOcean (company)
• CVE-2026-20761 (cve)
• CVE-2026-22885 (cve)
• CWE-120 - Classic Buffer Overflow (cwe)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-20 - Improper Input Validation (cwe)
• CWE-269 - Improper Privilege Management (cwe)
• CWE-287 - Improper Authentication (cwe)
• liblonstack.so (domain)
• Manufacturing (industry)
• T1021 - Remote Services (mitre_attack)
• T1059.004 - Unix Shell (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• Linux (platform)
• Netcat (tool)