CVE-2026-22885

3.7 LOW

Denial of Service

📋 TL;DR

A memory leak vulnerability in EnOcean SmartServer IoT versions 4.60.009 and prior allows remote attackers to send specially crafted LON IP-852 management messages, causing the program to gradually consume more memory. This affects organizations using EnOcean SmartServer IoT devices for building automation and industrial control systems.

💻 Affected Systems

Products:

• EnOcean SmartServer IoT

Versions: 4.60.009 and prior

Operating Systems: Embedded/Linux-based IoT platform

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the LON IP-852 management message handling component. Systems must have LON IP-852 functionality enabled to be vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could lead to complete memory exhaustion, causing the SmartServer IoT device to crash or become unresponsive, potentially disrupting building automation or industrial control operations.

🟠

Likely Case

Gradual performance degradation over time as memory is consumed, leading to slower response times or intermittent service interruptions.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential performance issues that can be detected and addressed before service disruption.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of LON IP-852 protocol and ability to craft specific malformed messages. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 4.60.009

Vendor Advisory: https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes

Restart Required: Yes

Instructions:

1. Check current version using version check command. 2. Download latest firmware from EnOcean support portal. 3. Follow vendor's firmware update procedure. 4. Restart device after update. 5. Verify update was successful.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to LON IP-852 management port (typically 1628/tcp) to trusted management networks only

Copy

iptables -A INPUT -p tcp --dport 1628 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 1628 -j DROP

Rate Limiting

linux

Implement rate limiting on LON IP-852 traffic to prevent rapid memory consumption

Copy

iptables -A INPUT -p tcp --dport 1628 -m limit --limit 10/min --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 1628 -j DROP

🧯 If You Can't Patch

• Implement strict network segmentation to isolate SmartServer IoT devices from untrusted networks
• Deploy network monitoring to detect abnormal LON IP-852 traffic patterns and memory usage spikes

🔍 How to Verify

Check if Vulnerable:

Copy

Check device version via web interface or SSH. If version is 4.60.009 or lower, device is vulnerable.

Check Version:

Copy

ssh admin@device_ip 'cat /etc/version' or check via web interface at http://device_ip/status

Verify Fix Applied:

Copy

After update, verify version is higher than 4.60.009 and monitor memory usage during normal LON IP-852 traffic.

📡 Detection & Monitoring

Log Indicators:

• Unusual memory consumption patterns in system logs
• Repeated LON IP-852 connection attempts from unusual sources
• Process restart events for SmartServer services

Network Indicators:

• High volume of LON IP-852 traffic to port 1628/tcp
• LON IP-852 messages with malformed structure or unusual patterns

SIEM Query:

Copy

source="smartserver.log" ("memory" AND ("high" OR "exhausted" OR "leak")) OR dest_port=1628 AND protocol="LON"

📊 Metadata

CVE ID: CVE-2026-22885

CVSS v3 Score: 3.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-125

Published: February 20, 2026

Last Updated: February 20, 2026

🔗 References

• https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#Current-Stable-Release
• https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security
• https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-01.json
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-01

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22885, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)

CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)

CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)