Two vulnerabilities discovered by Claroty’s Team82 in the EnOcean SmartServer IoT platform can be chained to achieve unauthenticated remote code execution on devices managing building automation systems — including HVAC, lighting, and energy controls. CVE-2026-20761 (CVSS 8.1) allows arbitrary OS command execution via malformed IP-852 messages; CVE-2026-22885 (CVSS 3.7) bypasses ASLR and leaks memory to make exploitation reliable. Both affect SmartServer IoT versions up to and including 4.60.009, and patches are available in version 4.60.023.
// 01 CVE-2026-20761: What We Know So Far
Claroty Team82 researchers identified the vulnerabilities in the EnOcean SmartServer IoT, a widely deployed edge gateway used in building management systems (BMS) to bridge LonWorks-based sensors and controllers with BACnet, Modbus, and IP networks.
CVE-2026-20761 targets the device’s LON IP-852 protocol handler. An unauthenticated remote attacker can send a specially crafted IP-852 message that triggers arbitrary operating system command execution. The flaw exists in how the SmartServer firmware processes malformed time-synchronization and configuration messages on the LonWorks channel — a network path that is often accessible from the building’s LAN segment without authentication. CVSS v3 score: 8.1 (High).
CVE-2026-22885 is a lower-severity companion flaw (CVSS 3.7) that also exploits crafted IP-852 messages to bypass Address Space Layout Randomization (ASLR) and disclose memory contents. Alone it does not execute code, but it is the essential prerequisite: an attacker first uses CVE-2026-22885 to leak memory addresses and defeat ASLR, then delivers a reliable RCE payload via CVE-2026-20761 at a predictable address. Chained, the two flaws allow a network-adjacent or internet-facing attacker to fully compromise a SmartServer with root-level access.
CISA issued advisory ICSA-26-050-01 on February 19, 2026 when EnOcean coordinated disclosure. Claroty has now published technical details on its Team82 disclosure dashboard for CVE-2026-20761 and CVE-2026-22885, making the attack mechanics more accessible to both defenders and potential threat actors.
No public proof-of-concept exploit code has been released at time of writing. No confirmed in-the-wild exploitation has been reported by CISA or EnOcean.
// 02 Why CVE-2026-20761 Matters
The EnOcean SmartServer IoT is a critical junction point in building management infrastructure. It speaks multiple OT protocols — LonWorks, BACnet/IP, BACnet MS/TP, Modbus RTU, Modbus TCP — and aggregates sensors covering HVAC, energy metering, lighting, access control, and environmental monitoring. A compromised SmartServer gives an attacker operational authority over a building’s physical systems.
Consequences of a successful compromise include:
- Altering HVAC set points to create unsafe temperature conditions in server rooms, pharmaceutical cold storage, or hospital patient areas
- Manipulating energy management schedules to cause equipment overloads or unplanned downtime
- Lateral movement to other OT/IoT devices and backend BMS servers on the same network segment
- Exfiltration of building occupancy data, sensor telemetry, and facility layout information useful for physical intrusion planning
The attack surface is broader than it appears. IP-852 is the IP tunneling protocol for LonWorks networks, and in many enterprise building installations the SmartServer’s management port is reachable from the corporate LAN or — in misconfigured deployments — directly from the internet. Facilities where SmartServers are integrated into their BMS without proper network segmentation are at elevated risk.
// 03 CVE-2026-20761: What You Should Do Now
- Patch immediately. Update EnOcean SmartServer IoT to version 4.60.023 or later, which resolves both CVE-2026-20761 and CVE-2026-22885. Firmware version 4.7.0 also includes the fix. Verify the running version from the SmartServer web UI at
http://<device-ip>/webor via the device CLI. - Audit network exposure. Identify all SmartServer IoT devices in your environment. Confirm that management interfaces and IP-852 ports (UDP/TCP 1628) are not reachable from untrusted network segments or the internet.
- Segment the OT network. Place SmartServer devices behind a dedicated OT VLAN or DMZ. Restrict IP-852 traffic to known BMS hosts using firewall rules (
deny all; permit src <BMS_host_IP> dst <SmartServer_IP> port 1628). - Verify external exposure. Use Shodan, Censys, or your external attack surface management tool to confirm no SmartServer management interface is internet-facing. Search for
"EnOcean SmartServer" port:1628or the device’s web fingerprint. - Review device logs. Examine SmartServer syslog output for unexpected process spawns or anomalous IP-852 traffic. Successful exploitation of CVE-2026-20761 would leave traces of unexpected child processes in the system log.
// 04 Detection and Verification Checklist
- Confirm running firmware is ≥ 4.60.023 via the SmartServer web UI or CLI output.
- Run
nmap -sU -sT -p 1628 <smartserver-ip>from a test host outside the OT segment to verify IP-852 port is not accessible cross-segment. - Review perimeter firewall logs for inbound traffic to port 1628 from external IP ranges.
- Audit syslog entries for unexpected process execution events since February 19, 2026 (original disclosure date).
- Review the CISA ICS advisory ICSA-26-050-01 for vendor-supplied indicators of compromise and configuration guidance.
- Monitor the Claroty Team82 disclosure pages for CVE-2026-20761 and CVE-2026-22885 — if a public PoC is published, escalate remediation priority to emergency.
- Subscribe to EnOcean security notifications to receive future advisories directly.
Sources: SecurityWeek, Claroty Team82 — CVE-2026-20761, Claroty Team82 — CVE-2026-22885, CISA ICSA-26-050-01
For any query contact us at contact@cipherssecurity.com