Automated Logic WebCTRL Premium Server
Summary
The Automated Logic WebCTRL Premium Server has critical vulnerabilities, including an Open Redirect and Cross-site Scripting, with a CVSS v4 score of 8.6. Successful exploitation could allow remote attackers to redirect users to malicious sites or execute malicious scripts in their browsers, posing significant security risks.
Impact
Affected products include: Automated Logic WebCTRL Server (Versions 6.1, 7.0, 8.0, 8.5), Carrier i-Vu (Versions 6.1, 7.0, 8.0, 8.5), Automated Logic SiteScan Web (Versions 6.1, 7.0, 8.0, 8.5), and Automated Logic WebCTRL for OEMs (Versions 6.1, 7.0, 8.0, 8.5). Vendor: Automated Logic.
In the Wild
No
Timeline
Disclosed on November 20, 2025
Remediation
Users are advised to upgrade to WebCTRL version 9.0, as vulnerabilities have been remediated in this version. WebCTRL 7.0, WebCTRL 6.1, and i-Vu 6.0 are out of support. Users should follow Automated Logic's Security Best Practices Checklists for Building Automation Systems (BAS) to align with best practices installation guidelines. CISA recommends minimizing network exposure for control system devices, using firewalls, and employing secure remote access methods like VPNs.