Primary

Context

EnOcean SmartServer IoT Command Injection Vulnerability Allowing Arbitrary OS Command Execution

Vulnerability

A command injection vulnerability has been identified in EnOcean SmartServer IoT versions through 4.60.009. This vulnerability allows remote attackers to execute arbitrary operating system commands on the device by sending specially crafted LON IP-852 management messages.

Impact

Exploitation of this vulnerability could lead to unauthorized remote execution of operating system commands on the affected device.

Remediation

Users are advised to update the SmartServer platform software to version 4.6 Update 2 (v4.60.023) or a later release. For additional mitigations and workarounds, refer to EnOcean's hardening guide.

Added: Feb 20, 2026, 4:24 PM

Updated: Feb 20, 2026, 6:16 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

EnOcean SmartServer IoT Command Injection Vulnerability Allowing Arbitrary OS Command Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating