What sectors are at risk due to this vulnerability?

Sectors such as commercial facilities, critical manufacturing, and energy are at significant risk due to the widespread use of the BASC-20T controller in these industries.

Critical Vulnerability in Contemporary Controls BASC-20T Puts Industrial Systems at Risk

Q: Which versions of the BASC-20T are affected?

The vulnerability affects BASControl20 version 3.1.

A newly discovered flaw in the BASC-20T controller exposes industrial control systems to potential unauthorized access and manipulation.

Published: April 9, 2026

Share this on:

Executive Summary

In April 2026, a critical vulnerability (CVE-2025-13926) was identified in Contemporary Controls' BASC-20T unitary controller, widely used in industrial control systems. This flaw allows attackers to intercept and manipulate network traffic, enabling unauthorized actions such as reconfiguring devices, renaming or deleting files, performing file transfers, and executing remote procedure calls. The vulnerability affects BASControl20 version 3.1 and poses significant risks to sectors like commercial facilities, critical manufacturing, and energy. (building-controls.com)

This incident underscores the escalating threats to industrial control systems, with a notable increase in vulnerabilities and attacks targeting operational technology environments. Organizations must prioritize securing legacy systems, implementing robust network segmentation, and ensuring timely updates to mitigate such risks. (infosecurity-magazine.com)

Why This Matters Now

The discovery of CVE-2025-13926 highlights the urgent need for enhanced security measures in industrial control systems, especially as attackers increasingly exploit vulnerabilities in legacy devices. With the rise in ICS vulnerabilities and targeted attacks, organizations must proactively address these risks to safeguard critical infrastructure. (infosecurity-magazine.com)

Attack Path Analysis

An attacker exploited a vulnerability in the Contemporary Controls BASC 20T device, allowing unauthorized access to enumerate functionalities, reconfigure settings, and perform file transfers. This initial compromise enabled the adversary to escalate privileges, move laterally within the network, establish command and control channels, exfiltrate sensitive data, and ultimately disrupt industrial control processes.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

High

Initial Compromise

Description

The attacker exploited a vulnerability in the BASC 20T device, allowing unauthorized access to enumerate functionalities and perform file transfers.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-13926
CVSS 9.8
An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T.
Affected Products:
Contemporary Controls BASControl20 – 3.1
Exploit Status:
no public exploit
References:
https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Defense Evasion

T1211

Exploitation for Defense Evasion

Defense Evasion

T1553

Subvert Trust Controls

Privilege Escalation

T1548

Abuse Elevation Control Mechanism

Privilege Escalation

T1134

Access Token Manipulation

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The vulnerability in BASC 20T indicates a failure to protect system components from known vulnerabilities, contravening PCI DSS 4.0 requirement 6.2.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the organization's cybersecurity policy, as required by NYDFS 23 NYCRR 500.03, to address vulnerabilities in obsolete products.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of the BASC 20T vulnerability reflects deficiencies in the ICT risk management framework mandated by DORA Article 5.

CISA ZTMM 2.0 – Asset Management

Control ID: 3.1

The presence of an obsolete and vulnerable product like BASC 20T indicates lapses in asset management practices outlined in CISA ZTMM 2.0 section 3.1.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident demonstrates a failure to implement appropriate cybersecurity risk management measures as required by NIS2 Directive Article 21.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Oil/Energy/Solar/Greentech

Critical SCADA/ICS vulnerability in Contemporary Controls BASC 20T enables complete system compromise through network traffic exploitation, threatening energy infrastructure operations and safety systems.

Utilities

Building automation system vulnerability allows unauthorized control of critical infrastructure through packet forgery, compromising power generation, distribution networks, and essential utility services nationwide.

Critical Manufacturing

Industrial control system security flaw permits complete device reconfiguration and file manipulation, enabling attackers to disrupt manufacturing processes and compromise production safety controls.

Government Administration

Federal facility building automation systems face critical exposure to network-based attacks enabling unauthorized access, data exfiltration, and potential compromise of government operational security.

Sources

Contemporary Controls BASC 20Thttps://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01
Verified

BAScontrol20 20-point BACnet/IP Sedona Unitary Controllerhttps://www.ccontrols.com/basautomation/bascontrol20.php

Verified

Contemporary Controls BASC-20T Product Pagehttps://www.building-controls.com/products/ccs-basc20t

Verified

Frequently Asked Questions

CVE-2025-13926 is a critical vulnerability in Contemporary Controls' BASC-20T controller that allows attackers to intercept and manipulate network traffic, leading to unauthorized actions such as reconfiguring devices and executing remote procedure calls.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While initial exploitation may still occur, the attacker's ability to leverage this access to further compromise the network would likely be constrained.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely be constrained by limiting access to critical systems and functions.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the potential blast radius.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, disrupting remote management of compromised devices.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.

Impact (Mitigations)

The attacker's ability to disrupt industrial operations would likely be constrained, reducing the potential impact on safety and operations.

Impact at a Glance

Affected Business Functions

Building Automation Systems
HVAC Control
Lighting Control

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of building automation system configurations and control data.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal network communications.
• Utilize Encrypted Traffic (HPE) to secure data in transit and prevent packet sniffing.
• Establish Multicloud Visibility & Control to detect anomalous interactions and repeated malformed requests.
• Apply Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Vulnerability in Contemporary Controls BASC-20T Puts Industrial Systems at Risk

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-13926

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Exploitation for Defense Evasion

Subvert Trust Controls

Abuse Elevation Control Mechanism

Access Token Manipulation

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Asset Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Oil/Energy/Solar/Greentech

Utilities

Critical Manufacturing

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads