What is CVE-2026-32666?

CVE-2026-32666 is a high-severity vulnerability in Automated Logic Webctrl Premium Server, classified under Authentication Bypass by Spoofing. CVSS score: 7.5/10. Published 2026-03-20.

How severe is CVE-2026-32666?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in Automated Logic Webctrl Premium Server

CVE-2026-32666

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets d…

EPSS: 0.001 (23.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Automated Logic Webctrl Premium Server — versions 0

Weakness classification (CWE)

CWE-290 — Authentication Bypass by Spoofing

References

www.automatedlogic.com/en/company/security-commitment/
www.cisa.gov/news-events/ics-advisories/icsa-26-078-08
github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.js…

Frequently asked questions

What is CVE-2026-32666?: CVE-2026-32666 is a high-severity vulnerability in Automated Logic Webctrl Premium Server, classified under Authentication Bypass by Spoofing. CVSS score: 7.5/10. Published 2026-03-20.
How severe is CVE-2026-32666?: High severity. CVSS v3 base score is 7.5 out of 10.