CVE-2026-20761

High

Published: 20 February 2026

Published

20 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0038 59.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection vulnerability by validating IP-852 management message inputs to block specially crafted payloads leading to arbitrary OS command execution.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in EnOcean SmartServer IoT version 4.60.009 and prior through timely application of vendor firmware updates and patches as advised in release notes and CISA ICSA-26-050-01.

CM-7 Least Functionality good match

prevent

Mitigates exposure by enforcing least functionality to disable or restrict unnecessary LON IP-852 management channels on the IoT device.

Security SummaryAI

CVE-2026-20761 is a command injection vulnerability (CWE-77) affecting EnOcean SmartServer IoT version 4.60.009 and prior. It resides in the handling of LON IP-852 management messages, where specially crafted IP-852 messages can be sent to trigger arbitrary OS command execution on the device. Published on 2026-02-20, the issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high impact on confidentiality, integrity, and availability despite requiring high attack complexity.

Remote, unauthenticated attackers can exploit this vulnerability over the network by transmitting malicious IP-852 messages via LON IP-852 channels. Successful exploitation enables arbitrary operating system command execution on the targeted SmartServer IoT device, allowing full control for potential persistence, data exfiltration, or lateral movement within operational technology (OT) and IoT networks.

Mitigation details are available in vendor and authority advisories, including EnOcean's SmartServer IoT Release Notes for the current stable release, security enhancement guidance, and CISA ICS Advisory ICSA-26-050-01 (with corresponding CSAF document). Practitioners should review these references for patching instructions, firmware updates, and recommended configurations to address the vulnerability.

Details

CWE(s): CWE-77

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote exploitation of public-facing IoT management protocol (T1190) resulting in arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#Current-Stable-Release
ics-cert@hq.dhs.gov
https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security
ics-cert@hq.dhs.gov
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-01.json
ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-01
ics-cert@hq.dhs.gov