Delta Controls’ enteliBUS Vulnerability: Remote Control of Building Systems Exposed

Delta Controls’ enteliBUS control system, a programmable BACnet controller, once advertised the promise of “managing your entire central plant from one controller.” However, that convenience has become a double‑edged sword, as a recent vulnerability exposed the system to full remote takeover.

What the Vulnerability Means

The flaw, identified as CVE‑2019‑9569, allows an attacker to trigger a buffer overflow by sending malformed network traffic. Once exploited, the attacker can issue arbitrary BACnet commands, effectively controlling HVAC units, pumps, valves, lighting, and even alarm systems across an entire building.

Live Demo by McAfee

During McAfee’s MPOWER conference, senior researcher Doug McKee demonstrated the exploit in a staged data‑center environment. With a single command, he was able to toggle HVAC controls, disable networked pumps, and turn alarms on and off—all remotely and without physical access.

As McKee explained, “With a few keystrokes, I can go ahead and turn on the alarm.” The demonstration highlighted how a simple malicious payload could disrupt critical operations or even compromise patient safety in hospitals where enteliBUS manages positive‑pressure rooms.

Potential Impact on Facilities

Industrial buildings that rely on water‑cooled HVAC or boiler systems are especially vulnerable. An attacker could shut off pumps, block airflow, or alter temperature readings, leading to equipment overheating, production downtime, or safety hazards. The vulnerability also enables denial‑of‑service attacks, potentially taking entire building control systems offline.

Scope and Visibility

A Shodan search in August 2018 identified 1,600 enteliBUS Manager devices worldwide, with a later query on October 4 returning nearly 500 exposed units—most located in North America. Many of these ran firmware v3.40.571848, the exact version exploited in the labs. Although some listings were honeypots, the sheer number of exposed devices underscores the global risk.

Response and Mitigation

Delta Controls promptly responded after McAfee disclosed the issue on December 7, 2018. The company released a patch that, according to McKee, fully remedied the vulnerability. Users are urged to verify that their enteliBUS Manager firmware is at least version 3.40.571848 or newer and to apply the official patch from the Delta Controls website.

Organizations operating enteliBUS or similar BACnet controllers should conduct a rapid inventory audit, enforce network segmentation, and implement strict access controls to mitigate the risk of remote exploitation.