{"cve":{"cve_id":"CVE-2026-24060","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.002,"epss_percentile":0.09804,"epss_as_of":"2026-06-23","description":"Service information is not encrypted when transmitted as BACnet packets \nover the wire, and can be sniffed, intercepted, and modified by an \nattacker. Valuable information such as the File Start Position and File \nData can be sniffed from network traffic using Wireshark's BACnet \ndissector filter. The proprietary format used by WebCTRL to receive \nupdates from the PLC can also be sniffed and reverse engineered.","published_at":"2026-03-20T23:19:05.223000Z","last_modified_at":null,"cvss_v3_score":9.1,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","cvss_v3_severity":"CRITICAL","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-319"],"nvd_references":["https://www.automatedlogic.com/en/company/security-commitment/","https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08","https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:29:19.246381Z"},"effective_severity":"CRITICAL","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"automated-logic","vendor_name":"Automated Logic","product_slug":"webctrl-premium-server","product_name":"WebCTRL Premium Server","version_start":"0","version_start_inclusive":true,"version_end":"v8.5","version_end_inclusive":false,"cpe23_uri":"cve5:automated-logic:webctrl-premium-server:0:v8.5"}],"exploit_refs":[],"news":[],"references":[{"url":"https://www.automatedlogic.com/en/company/security-commitment/","source_type":"MISC","tags":["patch"]},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-08","source_type":"VENDOR_ADVISORY","tags":["advisory"]},{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-03-20T23:19:05.223000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:51:54.153642Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:51:54.153642Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:51:54.153642Z","label":"CVSS score revised","source":"cvelistv5"}]}