Security researchers at Claroty have uncovered serious vulnerabilities in the SmartServer IoT platform developed by EnOcean, raising concerns about the safety of internet-connected building management systems. These findings highlight growing risks within operational technology environments, especially as more infrastructure becomes digitally connected.
To begin with, the researchers identified two key vulnerabilities affecting SmartServer IoT version 4.60.009 and earlier, along with legacy i.LON devices linked through the platform. Notably, attackers could exploit these flaws to bypass memory protections, leak sensitive data, and execute unauthorized commands on targeted systems.
The first and more severe flaw, tracked as CVE-2026-20761, carries a CVSS score of 8.1. It enables remote attackers to send specially crafted LON IP-852 messages that trigger arbitrary command execution. Specifically, the issue arises due to improper input validation in a system function responsible for timezone configuration. As a result, attackers can inject malicious commands through manipulated packets, which the system then executes with root-level privileges on the underlying Linux environment.
Meanwhile, the second vulnerability, CVE-2026-22885, has a lower CVSS score of 3.7 but still presents a notable risk. This flaw allows attackers to bypass address space layout randomisation (ASLR) protections and access sensitive memory by sending crafted IP-852 messages. Although less critical on its own, it becomes significantly more dangerous when combined with the first vulnerability.
Furthermore, the attack mechanism relies heavily on IP-852 messaging, a protocol widely used in LonWorks-based building automation systems. Threat actors can exploit this communication channel to manipulate how SmartServer processes configuration and time synchronization data. In some cases, attackers may first extract configuration details from the system before launching further attacks using messages that appear to come from trusted sources. Alternatively, they may exploit packet parsing weaknesses to leak memory data and bypass security defenses.
When attackers chain these vulnerabilities together, they significantly increase their chances of achieving full system compromise. Consequently, this could allow unauthorized access and control over critical infrastructure systems.
The potential impact is substantial. Affected systems typically manage essential building operations such as heating, ventilation, lighting, power distribution, and access control. Therefore, a successful attack could disrupt operations, manipulate environmental controls, or enable lateral movement across connected networks. In high-risk environments like manufacturing facilities, defense infrastructure, and data centers, such compromises could lead to severe operational and security consequences.
Additionally, these findings underscore broader concerns about the security posture of building management systems. Many such systems remain exposed to vulnerabilities, making them attractive targets for cyber attackers seeking entry into larger enterprise networks.
In response, EnOcean has released fixes in SmartServer version 4.60.023 and later. Organizations are strongly encouraged to upgrade their systems promptly and evaluate network exposure, particularly where IP-852 messaging is active. Since building management systems often bridge IT and operational technology environments, patching may require coordinated efforts across multiple teams, including facility managers, contractors, and cybersecurity professionals.
“Users are advised to update the SmartServer platform software to SmartServer 4.6 Update 2 (v4.60.023) or later,” the researchers said.
Recommended Cyber Technology News:
- Atos Launches Integrated Digital Sovereignty Offering
- Milestone Boosts Security Ops With XProtect 2026 R1
- GigSafe CXT Integration Advances Data-Driven Compliance
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
