What's Happening?
Claroty researchers have identified two critical vulnerabilities in EnOcean's SmartServer IoT platform, which could allow remote attackers to hack building management systems. The SmartServer, used in smart buildings and data centers, is affected by a security
bypass vulnerability (CVE-2026-22885) and a remote code execution flaw (CVE-2026-20761). These vulnerabilities enable attackers to bypass memory protections and execute arbitrary commands, potentially gaining control over building automation systems. EnOcean has released an update to patch these vulnerabilities, and technical details along with proof-of-concept exploits have been made available by Claroty.
Why It's Important?
The discovery of these vulnerabilities highlights the growing cybersecurity challenges in the IoT sector, particularly in critical infrastructure like building management systems. As smart buildings become more prevalent, ensuring the security of IoT platforms is crucial to prevent unauthorized access and potential disruptions. The vulnerabilities in EnOcean's SmartServer underscore the need for robust security measures and regular updates to protect against cyber threats. This incident serves as a reminder for organizations to prioritize cybersecurity in their IoT deployments to safeguard sensitive data and maintain operational integrity.
