Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
EnOcean SmartServer IoT 4.60.009 and prior: Remote Code Execution
CVE-2026-20761
Summary
Attackers can send malicious messages to EnOcean SmartServer IoT devices, potentially allowing them to run unauthorized commands on the device. This could lead to unauthorized access or disruption of the device's functionality. Update to the latest version of the software to protect your device.
Original title
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and
prior, which would allow remote attackers, in the LON IP-852 management
messages, to send specially crafted IP-852 messages ...
Original description
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and
prior, which would allow remote attackers, in the LON IP-852 management
messages, to send specially crafted IP-852 messages resulting in
arbitrary OS command execution on the device.
prior, which would allow remote attackers, in the LON IP-852 management
messages, to send specially crafted IP-852 messages resulting in
arbitrary OS command execution on the device.
nvd CVSS3.1
8.1
Vulnerability type
CWE-77
Command Injection
- https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServe...
- https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Secu...
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05...
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-01
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026