EnOcean SmartServer Flaws Expose Buildings to Remote Hacking

Summary

Claroty researchers discovered two critical vulnerabilities in EnOcean SmartServer, a multi-protocol IoT gateway used in building automation, factories, and data centers. The flaws—CVE-2026-22885 (security bypass) and CVE-2026-20761 (remote code execution)—allow remote attackers to bypass memory protections and execute arbitrary commands with root privileges. EnOcean released patch version 4.60.023 to address the issues, which also affect legacy i.LON devices.

Full text

Vulnerabilities discovered by Claroty researchers in EnOcean’s SmartServer IoT platform can be exploited to remotely hack building management systems. EnOcean SmartServer is a multi-protocol gateway and edge controller designed to unify building automation by connecting industrial devices to cloud-based management platforms. The solution is advertised as ideal for smart buildings, factories, and data centers. Researchers at Claroty, a company specializing in the security of ICS and other cyber-physical systems, discovered that SmartServer is affected by a security bypass vulnerability tracked as CVE-2026-22885 and a remote code execution flaw tracked as CVE-2026-20761. The vulnerabilities can be exploited by remote attackers against internet-exposed EnOcean devices to bypass memory protections, leak memory, and execute arbitrary commands. “By exploiting improper validation of packet input, an attacker can control an argument passed to the device’s built-in system call and achieve full takeover of the Linux-based device, gaining root privileges and arbitrary code execution,” Claroty explained. In a real-world environment, threat actors could take control of building management and automation systems. EnOcean has been informed of the vulnerabilities and has released the SmartServer 4.6 update 2 (4.60.023) to patch them. It’s worth noting that the security holes also impact legacy i.LON devices.Advertisement. Scroll to continue reading. Claroty has made technical details and proof-of-concept (PoC) exploits available. Related: Hundreds of Internet-Facing VNC Servers Expose ICS/OT Related: Electric Motorcycles and Scooters Face Hacking Risks to Security and Rider Safety Related: Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking Related: ZionSiphon Malware Targets ICS in Water Facilities Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Critical GitHub Vulnerability Exposed Millions of RepositoriesVimeo Confirms User and Customer Data BreachRobinhood Vulnerability Exploited for Phishing AttacksElectric Motorcycles and Scooters Face Hacking Risks to Security and Rider SafetyMedtronic Hack Confirmed After ShinyHunters Threatens Data LeakMalicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: GoogleEnergy and Water Management Firm Itron HackedFirefox Vulnerability Allows Tor User Fingerprinting Latest News Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months‘Copy Fail’ Logic Flaw in Linux Kernel Enables System TakeoverSandhills Medical Says Ransomware Breach Affects 170,000Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureHundreds of Internet-Facing VNC Servers Expose ICS/OTCheckmarx Confirms Data Stolen in Supply Chain AttackIranian Cyber Group Handala Targets US Troops in Bahrain38 Vulnerabilities Found in OpenEMR Medical Software Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveMongoDB has appointed Doug Bowers as Chief Information Security Officer.Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.Cato Networks has appointed Meital Koren as Chief Legal Officer.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-22885
• cve — CVE-2026-20761

Entities