Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
WebCTRL sends unencrypted sensitive data over the network
CVE-2026-24060
Summary
The WebCTRL system sends sensitive information, such as file position and data, without encryption when transmitting updates over the network. This means an unauthorized person with access to the network can intercept and modify this data. You should review your network security measures to ensure that sensitive data is properly protected.
Original title
Service information is not encrypted when transmitted as BACnet packets
over the wire, and can be sniffed, intercepted, and modified by an
attacker. Valuable information such as the File Start Po...
Original description
Service information is not encrypted when transmitted as BACnet packets
over the wire, and can be sniffed, intercepted, and modified by an
attacker. Valuable information such as the File Start Position and File
Data can be sniffed from network traffic using Wireshark's BACnet
dissector filter. The proprietary format used by WebCTRL to receive
updates from the PLC can also be sniffed and reverse engineered.
over the wire, and can be sniffed, intercepted, and modified by an
attacker. Valuable information such as the File Start Position and File
Data can be sniffed from network traffic using Wireshark's BACnet
dissector filter. The proprietary format used by WebCTRL to receive
updates from the PLC can also be sniffed and reverse engineered.
nvd CVSS3.1
9.1
Vulnerability type
CWE-319
Cleartext Transmission of Sensitive Information
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026