Claroty finds flaws in EnOcean SmartServer IoT platform

Security researchers have identified two vulnerabilities in EnOcean's SmartServer IoT platform that could allow attackers to gain control of internet-connected building management systems.

The flaws, disclosed by Claroty's Team82 research unit, affect SmartServer IoT version 4.60.009 and earlier, as well as legacy i.LON devices connected through the platform. Successful exploitation could enable attackers to bypass memory protections, leak data and execute commands on affected systems.

Critical flaws

The first vulnerability, tracked as CVE-2026-20761, carries a CVSS v3 score of 8.1. It allows remote attackers to send crafted LON IP-852 messages that result in arbitrary command execution on devices.

The flaw stems from improper validation of input within a system function that handles timezone configuration. Attackers can inject malicious commands through specially crafted packets, which are then executed with root privileges on the underlying Linux system.

The second vulnerability, CVE-2026-22885, has a CVSS v3 score of 3.7. It allows attackers to send crafted IP-852 messages that bypass address space layout randomisation protections and expose memory.

Exploitation path

The vulnerabilities rely on IP-852 messaging, a protocol used in LonWorks and related building automation networks. Attackers can exploit this channel to send malicious traffic that manipulates how the SmartServer processes configuration and time synchronisation data.

One attack path involves retrieving configuration details from the device before sending crafted messages that appear to originate from trusted sources. Another method exploits packet parsing behaviour to extract data from memory, which can then be used to bypass security protections.

When chained together, the vulnerabilities allow attackers to leak memory and execute arbitrary commands, increasing the likelihood of a full system compromise.

System impact

Affected systems include building management and automation environments that control heating, ventilation, lighting, power and access controls. A successful attack could allow intruders to manipulate these functions or move laterally across connected devices.

The risks are higher in environments where these systems are exposed to the internet. Manufacturing sites, defence facilities and data centres were identified as settings where compromised building systems could disrupt operations or expose sensitive infrastructure.

The findings reflect wider concerns about the security of operational technology in commercial buildings and industrial environments. Research indicates that a large proportion of building management systems remain exposed to critical vulnerabilities.

Mitigation steps

EnOcean has addressed both vulnerabilities in SmartServer version 4.60.023 and later. Users are advised to upgrade affected systems and review network exposure, particularly where IP-852 messaging is enabled.

Patching may require coordination across facilities, contractors and security teams, as building management systems often sit between information technology and operational technology networks.

"Users are advised to update the SmartServer platform software to SmartServer 4.6 Update 2 (v4.60.023) or later," the researchers said.