CVE-2026-21878 – This vulnerability in BACnet Stack allows attac... (How to Fix)

Q: What is the severity of CVE-2026-21878?

CVE-2026-21878 has a CVSS score of 7.5 (HIGH). This vulnerability in BACnet Stack allows attackers to write files to arbitrary directories due to lack of path validation in file writing functionality. It affects embedded systems using BACnet Stack library versions prior to 1.5.0.rc3. The vulnerability could lead to arbitrary file writes that may enable further system compromise.

📋 TL;DR

This vulnerability in BACnet Stack allows attackers to write files to arbitrary directories due to lack of path validation in file writing functionality. It affects embedded systems using BACnet Stack library versions prior to 1.5.0.rc3. The vulnerability could lead to arbitrary file writes that may enable further system compromise.

💻 Affected Systems

Products:

BACnet Stack library

Versions: All versions prior to 1.5.0.rc3

Operating Systems: Linux, POSIX-compatible systems, Embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects applications using the vulnerable file writing functions in apps/readfile/main.c and ports/posix/bacfile-posix.c

📦 What is this software?

Bacnet Stack by Bacnetstack

View all CVEs affecting Bacnet Stack →

Bacnet Stack by Bacnetstack

View all CVEs affecting Bacnet Stack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file writes leading to remote code execution, system file corruption, or persistent backdoor installation.

🟠

Likely Case

File system manipulation allowing data corruption, denial of service, or privilege escalation through overwriting critical files.

🟢

If Mitigated

Limited impact with proper file system permissions and network segmentation preventing unauthorized access to BACnet services.

🌐 Internet-Facing: MEDIUM - BACnet devices are often on industrial networks but may be exposed if misconfigured or in IoT deployments.

🏢 Internal Only: HIGH - Industrial control systems and building automation networks frequently use BACnet and may have limited security controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Path traversal exploitation is well-understood and requires minimal technical skill once the vulnerable endpoint is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.0.rc3

Vendor Advisory: https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j

Restart Required: Yes

Instructions:

1. Update BACnet Stack library to version 1.5.0.rc3 or later. 2. Recompile any applications using the library. 3. Restart affected services or devices.

🔧 Temporary Workarounds

File System Permissions Restriction

linux

Restrict write permissions for the BACnet service account to only necessary directories

chmod -R 755 /var/lib/bacnet
chown -R bacnet:bacnet /var/lib/bacnet

Network Segmentation

all

Isolate BACnet devices on separate VLANs with strict firewall rules

🧯 If You Can't Patch

Implement strict network access controls to limit BACnet traffic to authorized sources only
Deploy file integrity monitoring on critical system directories to detect unauthorized file writes

🔍 How to Verify

Check if Vulnerable:

Check BACnet Stack library version and verify if using functions from affected files (apps/readfile/main.c, ports/posix/bacfile-posix.c)

Check Version:

grep -r "BACNET_STACK_VERSION" /usr/include/bacnet/ || check library documentation

Verify Fix Applied:

Verify library version is 1.5.0.rc3 or later and examine commit c5dc00a77b4bc2550befa67a930b333e299c18f3 for path validation implementation

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations by BACnet processes
Path traversal patterns in BACnet service logs
Permission denied errors for unexpected file paths

Network Indicators:

BACnet protocol traffic to unexpected ports or from unauthorized sources
Unusual file transfer patterns over BACnet

SIEM Query:

source="bacnet.log" AND ("..\" OR "/../" OR "path traversal")

📊 Metadata

CVE ID: CVE-2026-21878

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-22

EPSS Score: 0.04% exploit probability (10.8th percentile)

Published: February 13, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3 Patch
https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21878, you might also want to check these: