[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

The KMC BACnet Building Controller BAC-A1616BC has a "backdoor" on the embedded web service.



Web Server Functions

  • Built-in web configuration pages allow web browsers to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.
  • Upgradable firmware (without requiring physical access) through the web or Ethernet connection, allowing easy updates
  • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

The steps to identify the "back door" are briefly described below.


Login form:



Show source code:



Download flash:


Descompile flash:



Use the Binwalk tool to Extract known file types


 ... and to lookup classic search criteria,

Logic of login form


User: ""
Pass: "snowman"


we are now able to access the new (secret) panel

[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

All blog posts