CVE-2026-22885

Published Feb 20, 2026

Last updated 2 days ago

CVSS low 3.7
ICS

Overview

Description
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory.
Source
ics-cert@hq.dhs.gov
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.7
Impact score
1.4
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
LOW

Weaknesses

ics-cert@hq.dhs.gov
CWE-125

Social media

Hype score
Not currently trending

Related CVEs

  1. CVE-2024-10085
  2. OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.CVE-2026-35063
  3. A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.CVE-2026-20761
  4. An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication.CVE-2026-24789
  5. Authentication for ZLAN5143D can be bypassed by directly accessing internal URLs.CVE-2026-25084

References

Sources include official advisories and independent security research.