---
title: "Critical Flaws in EnOcean SmartServer IoT Enable Remote Code Execution"
short_title: "EnOcean SmartServer IoT critical vulnerabilities exposed"
description: "Two high-severity vulnerabilities in EnOcean SmartServer IoT could allow remote attackers to execute arbitrary code or bypass ASLR. Update now to secure systems."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [enocean, smartserver, iot, cve-2026-20761, cve-2026-22885, command injection]
score: 0.85
cve_ids: [CVE-2026-20761, CVE-2026-22885]
---
TL;DR
Two critical vulnerabilities in EnOcean SmartServer IoT (versions ≤4.60.009) could allow remote attackers to execute arbitrary code or exploit memory leaks. These flaws, tracked as CVE-2026-20761 and CVE-2026-22885, pose significant risks to global IoT deployments. Users are urged to update to SmartServer 4.6 Update 2 (v4.60.023) or later immediately.
---
Main Content
Introduction
The EnOcean SmartServer IoT, a widely deployed edge device for smart building automation, has been found to contain two severe vulnerabilities. Discovered by Amir Zaltzman of Claroty Team82, these flaws could enable remote attackers to execute arbitrary commands or trigger memory leaks, potentially compromising entire IoT ecosystems. With deployments spanning critical infrastructure sectors worldwide, the implications of these vulnerabilities are far-reaching.
---
Key Points
- Two high-severity vulnerabilities affect EnOcean SmartServer IoT versions ≤4.60.009.
- CVE-2026-20761 enables remote code execution (RCE) via crafted LON IP-852 management messages.
- CVE-2026-22885 causes memory leaks, potentially leading to system instability or information disclosure.
- No known public exploitation has been reported yet, but the high attack complexity does not diminish the urgency of patching.
- EnOcean has released SmartServer 4.6 Update 2 (v4.60.023) to address these flaws.
---
Technical Details
#### CVE-2026-20761: Command Injection Vulnerability
This vulnerability stems from improper neutralization of special elements in LON IP-852 management messages. Remote attackers can exploit this flaw to inject and execute arbitrary OS commands on the device. The vulnerability is classified under CWE-77 (Command Injection) and has a CVSS score of 8.1 (High).
Vector String:
`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
#### CVE-2026-22885: Out-of-Bounds Read Vulnerability
This flaw allows attackers to send specially crafted IP-852 messages, resulting in a memory leak from the program’s memory. While less severe than CVE-2026-20761, it can still lead to system instability or unauthorized data access. The vulnerability is classified under CWE-125 (Out-of-Bounds Read) and has a CVSS score of 3.7 (Low).
Vector String:
`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N`
---
Impact Assessment
The exploitation of these vulnerabilities could have severe consequences for organizations relying on EnOcean SmartServer IoT for building automation:
- Remote Code Execution (RCE): Attackers could gain full control over affected devices, enabling them to disrupt operations, steal sensitive data, or move laterally within networks.
- Memory Leaks: Exploitation could lead to system crashes, degraded performance, or unauthorized access to sensitive information.
- Global Reach: With deployments in information technology sectors worldwide, the potential impact is vast, affecting industries such as commercial real estate, healthcare, and industrial automation.
---
Mitigation Steps
EnOcean has released a patch to address these vulnerabilities. Users are strongly advised to take the following actions:
1. Update Immediately: Upgrade to SmartServer 4.6 Update 2 (v4.60.023) or later. Download the update [here](https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#Current-Stable-Release).
2. Follow Hardening Guidelines: Refer to EnOcean’s [hardening guide](https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security) for additional security recommendations.
3. Network Segmentation: Isolate SmartServer IoT devices from business networks using firewalls and VLANs.
4. Minimize Exposure: Ensure control system devices are not accessible from the internet.
5. Use Secure Remote Access: If remote access is required, use VPNs or other secure methods, ensuring they are updated to the latest version.
---
Affected Systems
- Vendor: EnOcean Edge Inc
- Product: EnOcean SmartServer IoT
- Affected Versions: ≤4.60.009
- Status: Known to be affected
---
Conclusion
The discovery of CVE-2026-20761 and CVE-2026-22885 in EnOcean SmartServer IoT underscores the critical importance of securing IoT devices in building automation and industrial environments. While no active exploitation has been reported, the high severity of these flaws demands immediate action. Organizations must prioritize patching, network segmentation, and adherence to security best practices to mitigate risks and protect their infrastructure.
For further guidance, refer to CISA’s recommended practices for control systems security and stay vigilant against emerging threats.
---
References
[^1]: CISA. "[ICS Advisory (ICSA-26-050-01) EnOcean SmartServer IoT](https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-01)". Retrieved 2024-10-02.
[^2]: Claroty Team82. "[Research on EnOcean SmartServer IoT Vulnerabilities](https://www.claroty.com/)". Retrieved 2024-10-02.
[^3]: EnOcean. "[SmartServer IoT Release Notes](https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes)". Retrieved 2024-10-02.