Automated Logic WebCTRL Premium Server WebSocket Authentication Request Rate Limiting Vulnerability Allowing Denial-of-Service and Brute-Force Attacks

A vulnerability exists in the WebSocket API of Automated Logic WebCTRL Premium Server, specifically in versions prior to 8.5 cumulative releases. The issue arises from a lack of rate limiting on authentication requests, which could enable an attacker to perform denial-of-service attacks by disrupting legitimate charger telemetry or to conduct brute-force attacks to gain unauthorized access.

Impact

Exploitation of this vulnerability could lead to denial-of-service conditions by misrouting or suppressing legitimate charger telemetry, or allow unauthorized access through successful brute-force attempts.

Remediation

For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments, BACnet Secure Connect support, and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available on the Automated Logic website.