Exploiting EnOcean SmartServer to Attack Connected Building Management Systems

Team82 discovered two vulnerabilities in EnOcean SmartServer IoT and i.LON devices: a pre-auth remote code execution (CVE-2026-20761) via a crafted PKTTYPE_ECHCONFIG timezone field that leads to root-level system call injection, and a stack memory disclosure (CVE-2026-22885) from improper extended-header parsing that enables ASLR bypass. The report includes detailed reverse engineering, exploitation steps and PoC scripts; EnOcean has provided mitigations and users are advised to update to SmartServer 4.6 Update 2 (v4.60.023).