Plattform
c
Komponente
bacnet-stack
Behoben in
1.5.1
CVE-2026-21878 describes an arbitrary file write vulnerability discovered in the BACnet Stack, an open-source C library for embedded systems. This flaw allows attackers to write files to arbitrary locations on the system, potentially leading to code execution and system compromise. The vulnerability impacts versions of BACnet Stack up to and including 1.5.0.rc3 and has been resolved in version 1.5.0.rc3.
The arbitrary file write vulnerability in BACnet Stack poses a significant risk. An attacker could leverage this flaw to overwrite critical system files, potentially leading to complete system compromise. They could inject malicious code, modify configuration files, or even escalate privileges. The impact extends beyond simple data manipulation; successful exploitation could grant an attacker persistent access to the affected system and allow for lateral movement within the network. The vulnerability resides in apps/readfile/main.c and ports/posix/bacfile-posix.c, indicating a core component of the stack is susceptible.
CVE-2026-21878 was publicly disclosed on 2026-02-13. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. While no active exploitation campaigns have been reported, the ease of exploitation, given the lack of input validation, suggests a potential for future attacks. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Systems utilizing BACnet Stack in embedded devices, particularly those with limited security controls or exposed file systems, are at risk. This includes industrial control systems (ICS), building automation systems, and other IoT deployments relying on BACnet communication. Legacy systems running older versions of BACnet Stack are particularly vulnerable.
• linux / server:
find / -type f -name '*bacnet*' -mtime -7 -ls• linux / server:
journalctl -f | grep -i "bacnet"• generic web:
curl -I http://your-bacnet-system/ | grep -i "Content-Type"disclosure
Exploit-Status
EPSS
0.06% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-21878 is to immediately upgrade to BACnet Stack version 1.5.0.rc3 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, restricting file write access to specific directories and implementing strict file permissions can reduce the attack surface. Thoroughly review and harden the application code that utilizes the BACnet Stack to ensure proper input validation and sanitization. After upgrading, confirm the fix by attempting to write a file to an unauthorized location; the operation should be denied.
Actualice la biblioteca BACnet Stack a la versión 1.5.0.rc3 o superior. Esta versión corrige la vulnerabilidad de recorrido de directorios que permite la escritura de archivos en ubicaciones arbitrarias. La actualización evitará que atacantes exploten esta vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-21878 is a HIGH severity vulnerability affecting BACnet Stack versions up to 1.5.0.rc3. It allows attackers to write files to arbitrary locations, potentially leading to system compromise.
You are affected if you are using BACnet Stack version 1.5.0.rc3 or earlier. Check your version and upgrade immediately.
Upgrade to BACnet Stack version 1.5.0.rc3 or later. If immediate upgrade is not possible, implement WAF rules and restrict file system permissions.
No active exploitation has been confirmed at this time, but the vulnerability's nature suggests a potential for rapid exploitation.
Refer to the BACnet Stack project's official website or repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.