📄 Description (English)
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service decoder allows unauthenticated remote attackers to read one byte past an allocated buffer boundary by sending a crafted RPM request with a truncated object identifier. The vulnerability is in rpm_decode_object_id(), which checks apdu_len < 5 but then accesses all 6 byte positions (indices 0-5) — consuming 1 byte for the context tag, 4 bytes for the object ID, then reading apdu[5] for the opening tag check. A 5-byte input passes the length check but causes a 1-byte OOB read, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.
🤖 AI Executive Summary
CVE-2026-41502 is a critical out-of-bounds read vulnerability in BACnet Stack versions prior to 1.4.3 affecting the ReadPropertyMultiple service decoder. Unauthenticated remote attackers can trigger a 1-byte buffer over-read by sending crafted RPM requests with truncated object identifiers, causing denial of service on embedded BACnet devices. The vulnerability is enabled by default and exploits are publicly available, making immediate patching essential for Saudi critical infrastructure.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 1, 2026 23:32
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi Arabia's critical infrastructure sectors: (1) Energy Sector (ARAMCO, SEC) — BACnet is widely used in SCADA/ICS systems for oil & gas operations, power generation, and distribution networks; (2) Water & Utilities — desalination plants and water treatment facilities rely on BACnet for building automation and process control; (3) Healthcare — hospital HVAC, power management, and facility automation systems; (4) Government Facilities — critical infrastructure control systems in NCA-regulated entities; (5) Telecommunications — data center environmental controls. The default-enabled vulnerability allows unauthenticated DoS attacks on these systems, potentially disrupting essential services. Given Saudi Arabia's Vision 2030 digitalization initiatives and increased ICS connectivity, this represents a high-impact threat vector.
🏢 Affected Saudi Sectors
Energy (Oil & Gas, Power Generation/Distribution)
Water & Utilities (Desalination, Water Treatment)
Healthcare (Hospital Facilities Management)
Government & Critical Infrastructure
Telecommunications (Data Centers)
Manufacturing (Industrial Automation)
🎯 MITRE ATT&CK Techniques
T1499 — Endpoint Denial of Service (DoS via crafted BACnet requests)
T1190 — Exploit Public-Facing Application (unauthenticated remote exploitation)
T1203 — Exploitation for Client Execution (buffer over-read leading to crashes)
T1557 — Man-in-the-Middle (potential for network-based exploitation)
T1040 — Traffic Capture (reconnaissance of BACnet traffic patterns)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all BACnet Stack deployments across your organization, particularly in SCADA/ICS environments
2. Identify systems running BACnet Stack versions < 1.4.3 and RC versions of 1.5.0
3. Assess network exposure — determine if BACnet devices are accessible from untrusted networks
PATCHING GUIDANCE:
1. Upgrade BACnet Stack to version 1.4.3 or later immediately
2. For systems unable to patch immediately, apply compensating controls (see below)
3. Prioritize patching in this order: energy/SCADA systems → water utilities → healthcare → government facilities
COMPENSATING CONTROLS (if patching delayed):
1. Disable ReadPropertyMultiple service if not required: set BACNET_USE_CONFIRMED_SERVICE_HANDLER to 0 in configuration
2. Implement network segmentation — isolate BACnet devices on dedicated VLANs with strict access controls
3. Deploy firewall rules to restrict BACnet traffic (port 47808/UDP) to authorized sources only
4. Implement rate limiting on BACnet service requests to mitigate DoS attempts
5. Monitor for abnormal BACnet traffic patterns and truncated RPM requests
DETECTION RULES:
1. Monitor for BACnet RPM requests with payload length < 5 bytes followed by device crashes/restarts
2. Alert on repeated failed BACnet service requests from external sources
3. Log all ReadPropertyMultiple service invocations and correlate with system stability events
4. IDS/IPS signature: detect BACnet APDU with context tag 0x0E (RPM) and truncated object identifier fields
5. Implement SIEM correlation: BACnet errors + system restarts + network anomalies
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع نشرات BACnet Stack عبر مؤسستك، خاصة في بيئات SCADA/ICS
2. حدد الأنظمة التي تعمل بإصدارات BACnet Stack < 1.4.3 وإصدارات RC من 1.5.0
3. قيّم التعرض للشبكة — حدد ما إذا كانت أجهزة BACnet يمكن الوصول إليها من شبكات غير موثوقة
إرشادات التصحيح:
1. قم بترقية BACnet Stack إلى الإصدار 1.4.3 أو أحدث على الفور
2. بالنسبة للأنظمة التي لا يمكن تصحيحها على الفور، طبق الضوابط البديلة
3. أولويات التصحيح: أنظمة الطاقة/SCADA → مرافق المياه → الرعاية الصحية → المرافق الحكومية
الضوابط البديلة (إذا تأخر التصحيح):
1. عطّل خدمة ReadPropertyMultiple إذا لم تكن مطلوبة: اضبط BACNET_USE_CONFIRMED_SERVICE_HANDLER على 0
2. طبق تقسيم الشبكة — عزل أجهزة BACnet على شبكات VLAN مخصصة مع ضوابط وصول صارمة
3. نشر قواعد جدار الحماية لتقييد حركة BACnet (المنفذ 47808/UDP) للمصادر المصرح بها فقط
4. طبق تحديد معدل على طلبات خدمة BACnet للتخفيف من محاولات DoS
5. راقب أنماط حركة BACnet غير الطبيعية وطلبات RPM المقطوعة
قواعد الكشف:
1. راقب طلبات BACnet RPM بطول حمولة < 5 بايتات متبوعة بأعطال/إعادة تشغيل الجهاز
2. تنبيه على طلبات خدمة BACnet الفاشلة المتكررة من مصادر خارجية
3. سجل جميع استدعاءات خدمة ReadPropertyMultiple وربطها بأحداث استقرار النظام
4. توقيع IDS/IPS: كشف BACnet APDU مع علامة السياق 0x0E (RPM) ومعرفات كائنات مقطوعة
5. تنفيذ ارتباط SIEM: أخطاء BACnet + إعادة تشغيل النظام + شذوذ الشبكة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 — Access Control (network segmentation for BACnet devices)
ECC 2024 A.5.2.1 — Cryptography (implement authentication if available)
ECC 2024 A.6.2.1 — Vulnerability Management (patch management procedures)
ECC 2024 A.8.1.1 — Incident Management (detection and response procedures)
ECC 2024 A.12.6.1 — Technical Vulnerability Management (ICS-specific controls)
🔵 SAMA CSF
SAMA CSF ID.RA-1 — Asset Management (inventory BACnet deployments)
SAMA CSF PR.AC-1 — Access Control (network isolation and authentication)
SAMA CSF PR.PT-1 — Protection Processes (patch management for critical systems)
SAMA CSF DE.CM-1 — Detection and Analysis (monitoring for exploitation attempts)
SAMA CSF RS.RP-1 — Response Planning (incident response for ICS environments)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1.1 — Policies for information security (ICS security policies)
ISO 27001:2022 A.5.2.1 — Information security roles and responsibilities
ISO 27001:2022 A.8.1.1 — Screening (vendor security assessment for BACnet implementations)
ISO 27001:2022 A.8.2.1 — Terms and conditions (security requirements in contracts)
ISO 27001:2022 A.8.3.1 — Information security awareness and training (ICS-specific training)
🟣 PCI DSS v4.0.1
Not directly applicable — BACnet is not typically used in payment card environments, but if present in integrated systems: PCI DSS 6.2 (patch management), PCI DSS 1.1 (network segmentation)
🔗 References & Sources 2
🔗
https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-7545-3fpx-4xw3
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-7545-3fpx-4xw3
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 4 entries
bacnetstack:bacnet_stack
bacnetstack:bacnet_stack:1.5.0
bacnetstack:bacnet_stack:1.5.0
bacnetstack:bacnet_stack:1.5.0