Researchers at Claroty have disclosed two vulnerabilities in the EnOcean SmartServer IQ, a building management and automation controller deployed in commercial, industrial, and institutional buildings worldwide. The flaws — a security bypass and a remote code execution (RCE) vulnerability — can be exploited to gain unauthorized remote control of building systems, including HVAC, access control, lighting, and energy management infrastructure.
About the EnOcean SmartServer IQ
The SmartServer IQ is a building management server (BMS) and IoT gateway produced by EnOcean, a Swiss-German company specializing in energy harvesting wireless technology for smart buildings. The device acts as a central controller for building automation systems, aggregating data from hundreds of wireless sensors and actuators and providing a management interface for facility operators.
SmartServer IQ devices are deployed in corporate offices, hospitals, data centers, universities, and industrial facilities — environments where the physical systems it controls are critical to operations and safety.
Vulnerability Details
Claroty's Team82 research unit discovered two distinct vulnerabilities affecting the SmartServer IQ:
Vulnerability 1: Security Bypass
The first flaw is an authentication bypass in the device's REST API or web management interface. The vulnerability allows an unauthenticated remote attacker to skip authentication checks and access administrative functionality that should require valid credentials.
This effectively exposes the full management surface of the SmartServer IQ to any attacker who can reach the device — whether over the internet (if exposed directly or via a misconfigured network) or from within a corporate network segment.
Vulnerability 2: Remote Code Execution
The second vulnerability allows an attacker with access to the SmartServer IQ's management interface to execute arbitrary code on the underlying operating system. When chained with the authentication bypass, this results in a fully unauthenticated remote code execution condition — the most severe class of vulnerability affecting network-connected devices.
An attacker exploiting the combined chain would gain the ability to:
- Modify or disable building systems (HVAC, access control, fire suppression)
- Pivot from the BMS device into adjacent network segments
- Install persistent backdoors on the SmartServer IQ
- Manipulate sensor readings and automation logic to create unsafe physical conditions
Attack Surface and Exposure
Building management systems represent a growing and frequently overlooked attack surface. Unlike enterprise IT systems, BMS devices are often:
- Internet-exposed — Facility managers sometimes configure remote access without adequate firewall protection
- Infrequently patched — OT and BMS devices are rarely included in regular vulnerability management cycles
- Shared-network — In many facilities, BMS networks are insufficiently segmented from corporate IT networks
- Unmonitored — Security operations teams rarely have visibility into BMS traffic or device logs
This combination makes BMS vulnerabilities particularly attractive to threat actors seeking initial access to corporate networks or looking to cause physical disruption.
Claroty's Responsible Disclosure
Claroty followed a responsible disclosure process, reporting the vulnerabilities to EnOcean before public disclosure. Organizations running SmartServer IQ devices should check EnOcean's security advisories for patch availability and apply updates as soon as possible.
This is not the first time Claroty's Team82 has highlighted critical vulnerabilities in OT and building management systems. Their research has consistently demonstrated that the security posture of building automation infrastructure lags significantly behind that of traditional IT systems.
Remediation Recommendations
Immediate actions:
- Apply vendor patches — Check EnOcean's security advisory portal for available firmware updates for the SmartServer IQ and apply them promptly
- Restrict network access — Ensure SmartServer IQ devices are not directly accessible from the internet; place them behind a firewall with strict ingress rules
- Network segmentation — Isolate BMS networks from corporate IT networks using VLANs and enforced firewall rules with no implicit trust between segments
- Disable unused services — Disable any management interfaces or protocols on the SmartServer IQ that are not actively required
- Monitor for anomalies — Enable logging on SmartServer IQ devices and forward logs to a SIEM for analysis; alert on unexpected API calls or configuration changes
Longer-term:
- Include BMS devices in regular vulnerability management and patching cycles
- Conduct periodic network scans to discover internet-exposed BMS devices
- Implement zero-trust access controls for BMS management interfaces, requiring VPN and multi-factor authentication
- Engage OT security specialists to assess the full building automation attack surface
Broader OT Security Context
The EnOcean SmartServer IQ disclosure comes amid a sustained period of heightened attention to operational technology (OT) and building automation security. In 2026, researchers have disclosed vulnerabilities in a wide range of industrial control systems, building controllers, and IoT gateways. The common thread: these devices were designed for reliability and functionality, not adversarial security, and are now being scrutinized against a threat landscape they were never designed to withstand.
As threat actors increasingly target physical infrastructure — as seen in attacks on water utilities, energy grids, and manufacturing facilities — the security of building management systems has moved from niche concern to mainstream priority.