ENOCEAN SmartServer Flaws Expose Buildings to Remote Hacking reports that two vulnerabilities, tracked as CVE-2026-22885 and CVE-2026-20761, were uncovered by Claroty researchers in EnOcean’s SmartServer IoT platform.
According to Claroty, these flaws can be exploited by remote attackers against internet-exposed EnOcean devices to bypass memory protections, leak memory, and execute arbitrary commands, potentially allowing full takeover of Linux-based devices and control of building management and automation systems. The findings note that these issues enable security bypass and remote code execution through improper validation of packet input.
EnOcean has informed customers and released SmartServer 4.6 update 2 (4.60.023) to patch the vulnerabilities, with the security holes also affecting legacy i[.]LON devices. Written by Eduard Kovacs, this SecurityWeek report emphasises the risk posed to smart buildings, factories, and data centres if exposed devices remain unpatched. According to Claroty, technical details and PoC exploits are already available.