CVE-2026-20761

Published Feb 20, 2026

Last updated 2 days ago

CVSS high 8.1
ICS

Overview

Description
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.
Source
ics-cert@hq.dhs.gov
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

ics-cert@hq.dhs.gov
CWE-77

Social media

Hype score
Not currently trending

Related CVEs

  1. CVE-2024-10085
  2. OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.CVE-2026-35063
  3. A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory.CVE-2026-22885
  4. An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication.CVE-2026-24789
  5. Authentication for ZLAN5143D can be bypassed by directly accessing internal URLs.CVE-2026-25084

References

Sources include official advisories and independent security research.