This out-of-bounds read vulnerability impacts the open-source BACnet protocol stack widely used in embedded IoT and OT devices. Unauthenticated remote attackers can trigger the flaw by sending a crafted ReadPropertyMultiple request to affected devices. Successful exploitation can cause crashes of impacted embedded devices, disrupting operations in critical infrastructure and connected IoT environments. The vulnerability is enabled by default in reference BACnet server implementations.
Remediation
Update BACnet Stack to version 1.4.3 or later to address this flaw. If immediate patching is not possible, restrict access to BACnet services from untrusted public networks. Disable the ReadPropertyMultiple confirmed service handler if it is not required for normal operations.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.