CVE-2024-5539 PUBLISHED

ALC WebCTRL Carrier i-Vu Access Control Bypass

Assigner: Carrier
Reserved: 30.05.2024 Published: 27.11.2025 Updated: 28.11.2025

The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the

web based building automation server.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor Automated Logic
Product WebCTRL
Versions Default: unaffected
  • affected from 0 to 8.5 (incl.)
Vendor Carrier
Product i-Vu
Versions Default: unaffected
  • affected from 0 to 8.5 (incl.)

Solutions

Upgrade to the latest version of ALC WebCTRL or Carrier i-Vu.

Credits

  • Steve Knabe from Praetorian reporter

References

Problem Types

  • CWE-863 Incorrect Authorization CWE