Remote building compromise likely with EnOcean SmartServer bugs

SecurityWeek reports that vulnerable internet-exposed EnOcean SmartServer IoT platform instances impacted by the security bypass flaw, tracked as CVE-2026-22885, and the remote code execution issue, tracked as CVE-2026-20761, could be targeted to remotely compromise smart buildings, data centers, and factories.

Threat actors could weaponize the vulnerabilities to circumvent memory defenses and expose memory, as well as run arbitrary commands to take over building management and automation systems, according to an analysis from Claroty researchers, who identified the issues.

"By exploiting improper validation of packet input, an attacker can control an argument passed to the devices built-in system call and achieve full takeover of the Linux-based device, gaining root privileges and arbitrary code execution," said Claroty, which has already issued proof-of-concept exploits following EnOcean's release of SmartServer 4.6 update 2 that resolves both flaws. Outdated i.LON devices were also noted to be affected by CVE-2026-22885 and CVE-2026-20761.