CVE-2026-22885

LOW 3.7

EnOcean SmartServer IoT Out-of-bounds Read

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory.

CWE	CWE-125
Vendor	enocean edge inc
Product	smartserver iot
Published	Feb 20, 2026
Last Updated	Feb 20, 2026

Stay Ahead of the Next One

Get instant alerts for enocean edge inc smartserver iot

Be the first to know when new low vulnerabilities affecting enocean edge inc smartserver iot are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

EnOcean Edge Inc / SmartServer IoT

0 ≤ 4.60.009

References

NVD ↗ CVE.org ↗ EPSS Data ↗

enoceanwiki.atlassian.net: https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#Current-Stable-Release enoceanwiki.atlassian.net: https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security cisa.gov: https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-01 github.com: https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-01.json

Credits

Amir Zaltzman of Claroty Team82 reported these vulnerabilities to CISA.