CISA warns of multiple high-severity flaws in EnOcean Edge SmartServer IoT (CVE-2026-23456 to CVE-2026-23460) enabling remote code execution and DoS attacks.

Critical Vulnerabilities in EnOcean Edge's SmartServer IoT Expose Industrial Systems to Attacks

Madrid, Spain – February 20, 2026 – The Spanish National Cybersecurity Institute (INCIBE) has issued an urgent advisory regarding multiple high-severity vulnerabilities in EnOcean Edge Inc.'s SmartServer IoT, a widely deployed edge server for industrial IoT (IIoT) environments. The flaws, tracked under CVE-2026-23456 through CVE-2026-23460, could allow threat actors to execute remote code, disrupt operations, or gain unauthorized access to critical infrastructure.

Technical Details

The vulnerabilities affect SmartServer IoT versions prior to 4.5.2, with the following critical issues identified:

CVE-2026-23456 (CVSS 9.8): Unauthenticated Remote Code Execution (RCE) via crafted HTTP requests to the web interface. Exploits a buffer overflow in the webserver component, enabling full system compromise.
CVE-2026-23457 (CVSS 8.6): Denial-of-Service (DoS) through malformed MQTT packets, crashing the mqtt-broker service and disrupting IoT device communications.
CVE-2026-23458 (CVSS 7.5): Improper Authentication in the REST API, allowing attackers to bypass authentication and access sensitive device configurations.
CVE-2026-23459 (CVSS 7.2): Stored Cross-Site Scripting (XSS) in the admin dashboard, enabling session hijacking via malicious payloads.
CVE-2026-23460 (CVSS 6.5): Information Disclosure due to hardcoded credentials in firmware, exposing default admin passwords in plaintext.

The vulnerabilities were discovered by INCIBE-CERT during a routine security assessment and reported to EnOcean Edge, which has released a patch in SmartServer IoT v4.5.2.

Impact Analysis

SmartServer IoT is deployed across smart buildings, industrial automation, and energy management systems, often integrating with BACnet, Modbus, and LonWorks protocols. Exploitation of these flaws could lead to:

Operational disruption in critical infrastructure (e.g., HVAC, lighting, or access control systems).
Lateral movement into corporate networks via compromised IoT devices.
Data exfiltration of sensitive industrial telemetry or user credentials.
Physical safety risks if attackers manipulate connected systems (e.g., disabling fire alarms or security cameras).

INCIBE warns that proof-of-concept (PoC) exploits for CVE-2026-23456 and CVE-2026-23457 are already circulating in underground forums, increasing the urgency for patching.

Recommendations

Security teams and industrial operators are advised to:

Immediately upgrade to SmartServer IoT v4.5.2 or later, available via EnOcean Edge’s support portal.
Isolate SmartServer IoT devices from corporate networks until patches are applied, using VLANs or firewalls.
Monitor network traffic for anomalous MQTT/HTTP requests or unauthorized API access.
Rotate all default credentials and enforce multi-factor authentication (MFA) for admin interfaces.
Audit connected IoT devices for signs of compromise, particularly those using BACnet or Modbus protocols.

For further guidance, refer to INCIBE’s advisory (INCIBE-CERT-2026-0045) or CISA’s ICS Alert (ICS-ALERT-2026-0220).

This advisory follows INCIBE’s coordinated disclosure process. EnOcean Edge has acknowledged the vulnerabilities and collaborated on remediation.