QwikSec

Security Database

CVE

CWE

Training

CVE-2020-36872

Published: Nov 26, 2025

Modified: May 14, 2026

PUBLISHED

Description

BACnet Test Server versions up to and including 1.01 contains a remote denial of service vulnerability in its BACnet/IP BVLC packet handling. The server fails to properly validate the BVLC Length field in incoming UDP BVLC frames on the default BACnet port (47808/udp). A remote unauthenticated attacker can send a malformed BVLC Length value to trigger an access violation and crash the application, resulting in a denial of service.

Vendor	Product	Versions
BACnet Interoperability Test Services, Inc.	BACnet Test Server	affected `0 - <= 1.01`

Weaknesses (CWE)

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php

technical-description

exploit

https://www.exploit-db.com/exploits/48860

exploit

https://packetstormsecurity.com/files/159504

exploit

https://cxsecurity.com/issue/WLB-2020100045

exploit

https://www.bac-test.com/

product

https://www.vulncheck.com/advisories/bacnet-test-server-malformed-bvlc-length-dos

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.