Summary
Successful exploitation of these vulnerabilities could allow an attacker to remotely execute arbitrary code and bypass ASLR.
The following versions of EnOcean SmartServer IoT are affected:
- SmartServer IoT <=4.60.009 (CVE-2026-20761, CVE-2026-22885)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 8.1 | EnOcean Edge Inc | EnOcean SmartServer IoT | Improper Neutralization of Special Elements used in a Command (‘Command Injection’), Out-of-bounds Read |
Background
- Critical Infrastructure Sectors: Information Technology
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
CVE-2026-20761
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.
Affected Products
EnOcean SmartServer IoT
EnOcean Edge Inc
EnOcean Edge Inc SmartServer IoT: <=4.60.009
known_affected
Remediations
Mitigation
EnOcean recommends users update the SmartServer platform software to SmartServer 4.6 Update 2 (v4.60.023) or a later release at https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#Current-Stable-Release.
For additional mitigations and workarounds, refer to EnOcean’s hardening guide at https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security.
Relevant CWE: CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2026-22885
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program’s memory.
Affected Products
EnOcean SmartServer IoT
EnOcean Edge Inc
EnOcean Edge Inc SmartServer IoT: <=4.60.009
known_affected
Remediations
Mitigation
EnOcean recommends users update the SmartServer platform software to SmartServer 4.6 Update 2 (v4.60.023) or a later release at https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#Current-Stable-Release.
For additional mitigations and workarounds, refer to EnOcean’s hardening guide at https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security.
Relevant CWE: CWE-125 Out-of-bounds Read