Vulnerabilities discovered by Claroty researchers in EnOcean’s SmartServer IoT platform can be exploited to remotely hack building management systems.
EnOcean SmartServer is a multi-protocol gateway and edge controller designed to unify building automation by connecting industrial devices to cloud-based management platforms. The solution is advertised as ideal for smart buildings, factories, and data centers.
Researchers at Claroty, a company specializing in the security of ICS and other cyber-physical systems, discovered that SmartServer is affected by a security bypass vulnerability tracked as CVE-2026-22885 and a remote code execution flaw tracked as CVE-2026-20761.
The vulnerabilities can be exploited by remote attackers against internet-exposed EnOcean devices to bypass memory protections, leak memory, and execute arbitrary commands.
“By exploiting improper validation of packet input, an attacker can control an argument passed to the device’s built-in system call and achieve full takeover of the Linux-based device, gaining root privileges and arbitrary code execution,” Claroty explained.
In a real-world environment, threat actors could take control of building management and automation systems.
EnOcean has been informed of the vulnerabilities and has released the SmartServer 4.6 update 2 (4.60.023) to patch them. It’s worth noting that the security holes also impact legacy i.LON devices.
Claroty has made technical details and proof-of-concept (PoC) exploits available.
Related: Hundreds of Internet-Facing VNC Servers Expose ICS/OT
Related: Electric Motorcycles and Scooters Face Hacking Risks to Security and Rider Safety
Related: Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking
