Full Report
Claroty’s threat research team, Team82, uncovered two vulnerabilities in EnOcean’s SmartServer IoT platform affecting version 4.60.009 and earlier.... The post Research finds EnOcean SmartServer vulnerabilities could let attackers take over BMS and IoT devices appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: EnOcean SmartServer IoT Remote Code Execution and Information Disclosure
## CVE Details
- **CVE ID:** CVE-2026-20761
- **CVSS Score:** 8.1 (High)
- **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command / Command Injection)
- **CVE ID:** CVE-2026-22885
- **CVSS Score:** 3.7 (Low)
- **CWE:** CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) / ASLR Bypass
## Affected Systems
- **Products:** EnOcean SmartServer IoT platform; legacy i.LON devices.
- **Versions:** Version 4.60.009 and earlier.
- **Configurations:** Devices with LON IP-852 packets enabled and exposed to network traffic.
## Vulnerability Description
Claroty Team82 identified two flaws in the implementation of the CEA-852 standard within the `libLonStack.so` library:
1. **CVE-2026-20761 (Command Injection):** The function `LtSetTimeZone` constructs a shell command using a user-supplied timezone string. The platform fails to properly validate or quote this input before passing it to the `system()` function. An attacker can inject malicious shell commands via a crafted Echelon proprietary IP-852 packet used for timezone settings, leading to execution with root-level privileges.
2. **CVE-2026-22885 (Information Disclosure):** Attackers can send crafted IP-852 messages to leak memory contents. This allows for the bypass of Address Space Layout Randomization (ASLR), facilitating further exploitation.
Notably, the vulnerable `LtSetTimeZone` function is present in the compiled binary but absent from the vendor's open-source GitHub repository, making it undetectable via source-code audits alone.
## Exploitation
- **Status:** PoC developed by Claroty Team82; no mentions of active exploitation in the wild at the time of the report.
- **Complexity:** Medium (requires knowledge of proprietary IP-852 packet structures).
- **Attack Vector:** Network (Unauthenticated/Pre-auth).
## Impact
- **Confidentiality:** High (Root access and memory leakage).
- **Integrity:** High (Ability to control BMS logic and modify system calls).
- **Availability:** High (Potential to disrupt HVAC, power, and environmental systems).
## Remediation
### Patches
- **SmartServer 4.6 Update 2 (v4.60.023):** Users are strongly advised to upgrade to this version or later to resolve both vulnerabilities.
### Workarounds
- Disable IP-852 packet handling if not required.
- Isolate SmartServer IoT devices from the public internet using firewalls or VPNs.
- Restrict access to the IP-852 port to trusted management stations only.
## Detection
- **Indicators of Compromise:** Monitor for unusual shell commands involving the `set-timezone` binary or the `which` command.
- **Detection Methods:** Inspect network traffic for malformed or unauthorized Echelon proprietary IP-852 packets, specifically those targeting timezone configuration parameters.
## References
- **Vendor Advisory:** EnOcean SmartServer 4.6 Update 2 release notes.
- **Claroty Team82 Research:** hxxps[://]claroty[.]com/team82/research/exploiting-enocean-smartserver-to-attack-connected-building-management-systems
- **Disclosure Dashboard:** hxxps[://]claroty[.]com/team82/disclosure-dashboard/cve-2026-20761