Automated Logic: Automated Logic WebCTRL / Carrier i-Vu: Access Control Bypass
CWE-863
Incorrect Authorization
—
Summary
Per NVD: “The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server.”
Affected Packages / Versions
- Package:
Automated Logic WebCTRL / Carrier i-Vu(—) - Latest published version at triage time:
Per NVD: up to and including 8.5 - Affected range:
WebCTRL and Carrier i-Vu up to and including 8.5 (per NVD) - Patched version:
See Carrier Product Security advisory list (corporate.carrier.com/product-security/advisories-resources/)
Impact
NVD’s description stops at “expose sensitive information.” Specific data classes exposed and any integrity impact are not enumerated by NVD.
Severity Rationale
NVD does not list a CVSS score for this CVE at fetch time; the Praetorian cve-research listing assigns CVSS 9.2 (Critical). Reviewer should confirm the score source before publication.
Fix
Apply the Automated Logic / Carrier security update. Vendor advisories are listed at corporate.carrier.com/product-security/advisories-resources/.
Disclosure timeline
- TBDReported to vendor
- TBDPatch released
- TBDPublic disclosure
Fix Commit(s)
References
Discovered by Praetorian Labs · Published April 29, 2026