High

Pre-authenticated RCE in EnOcean SmartServer IoT LON IP-852 message handling

IdentifiersCVE-2026-20761CWE-77· Improper Neutralization of Special…

CVE-2026-20761 is a pre-authentication remote command execution vulnerability affecting EnOcean SmartServer IoT version 4.60.009 and earlier, and reportedly legacy i.LON devices implementing the same IP-852/LonTalk functionality. The flaw is in handling of LON IP-852 management messages, specifically the timezone-setting path. According to the provided analysis, the vulnerable function is LtSetTimeZone in libLonStack.so, which constructs a shell command from a supplied timezone string and invokes system() with root privileges. LtSetTimeZone is reached from LtIpMaster::doRFCin while processing the proprietary PKTTYPE_ECHCONFIG (0xF3) packet. By sending a specially crafted IP-852 management message containing a malicious timezone value, a remote attacker can inject shell metacharacters and cause arbitrary OS command execution on the device.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary OS command execution on the affected device. The provided context states this can yield full takeover of the Linux-based controller with root privileges, enabling compromise of building management and automation logic, disruption or manipulation of HVAC, power, and environmental systems, and potential lateral movement toward connected field devices. The issue is remotely exploitable and described as affecting internet-exposed devices with IP-852 enabled in particular.

Mitigation

If you can’t patch tonight, do this now.

Until patched, minimize or eliminate exposure of the LON IP-852 management interface to untrusted networks, especially the public internet. Restrict access to the IP-852 service to authorized management hosts only using network segmentation, firewalls, and allowlisting. Place control-system networks behind firewalls and isolate them from business networks. If remote administration is required, use secured VPN-based access rather than direct exposure. Monitor for anomalous or unexpected IP-852 management traffic, including crafted PKTTYPE_ECHCONFIG messages.

Remediation

Patch, then assume compromise.

Upgrade EnOcean SmartServer IoT to SmartServer 4.6 Update 2 (version 4.60.023) or later, which the provided content states addresses this vulnerability. Replace or otherwise remediate affected legacy i.LON devices if they share the vulnerable implementation and no supported fixed firmware is available. Validate that exposed IP-852 management functionality is updated across all deployed controllers.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

EnOceanSmartserver Iothardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

scworldNews

May 1, 2026

Remote building compromise likely with EnOcean SmartServer bugs | brief | SC Media

A remote code execution vulnerability affecting EnOcean SmartServer and outdated i.LON devices caused by improper validation of packet input, enabling attackers to control arguments passed to a built-in system call and achieve root-level arbitrary code execution.

claroty team82News

Apr 29, 2026

Exploiting EnOcean SmartServer to Attack Connected Building Management Systems | Claroty

A pre-auth remote code execution vulnerability in EnOcean SmartServer IoT and legacy i.LON devices caused by improper validation of a timezone value in crafted IP-852/Echelon configuration packets, allowing arbitrary command execution as root.

claroty team82News

Dec 20, 2024

Inside a New IoT/OT Cyberweapon: IOCONTROL | Claroty

A vulnerability in EnOcean SmartServer IoT (<= 4.60.009) where specially crafted LON IP-852 management messages can lead to arbitrary OS command execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-20761

NVD

nvd.nist.gov/vuln/detail/CVE-2026-20761

MITRE CWE · CWE-77

Improper Neutralization of Special Elements…

enoceanwiki.atlassian.net

enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes

enoceanwiki.atlassian.net

enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security

github.com

github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-01.json

cisa.gov

cisa.gov/news-events/ics-advisories/icsa-26-050-01