OTPulse
FeedAboutContact

Johnson Controls exacqVision Server

Monitor6.7ICS-CERT ICSA-19-199-01Jul 18, 2019
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary

Johnson Controls exacqVision Server vulnerability allows privilege escalation. Affects versions 9.6 and 9.8. The vulnerability requires local access, high skill level, and user interaction (social engineering or physical presence) to exploit. No known public exploits exist.

What this means
What could happen
An attacker with local access and user interaction could escalate privileges on the exacqVision Server, potentially gaining administrative access to video surveillance and security system controls in critical infrastructure facilities.
Who's at risk
Organizations operating physical security and video surveillance systems using Johnson Controls exacqVision Server, including water utilities, electric utilities, manufacturing facilities, and other critical infrastructure with centralized security monitoring. The vulnerability affects security staff, IT personnel, and facility operators who have local access to exacqVision Server systems.
How it could be exploited
An attacker must first gain local access to a system running exacqVision Server (e.g., through social engineering, physical access, or a compromised workstation on the same network). They then exploit the privilege escalation vulnerability to elevate from a lower-privileged user account to administrative access, requiring user interaction or specific conditions to be successful.
Prerequisites
  • Local access to the exacqVision Server system or network
  • An existing user account on the system (lower-privileged)
  • User interaction or social engineering to trigger the vulnerability
  • High skill level to execute the exploit
Local access required (not remotely exploitable)High skill level neededLow EPSS score (actively exploited risk is minimal)Privilege escalation could lead to unauthorized security system controlAffects physical security and surveillance infrastructure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
exacqVision Server - This vulnerability impacts exacqVision server9.6 | 9.819.03 or later
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGEnforce strong access controls and credential management for exacqVision Server user accounts
HARDENINGTrain staff to recognize and avoid social engineering attacks targeting facility access
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade exacqVision Server to Version 19.03 or later
Long-term hardening
0/1
HARDENINGImplement network segmentation to restrict local access to exacqVision Server systems to authorized personnel only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/02dbb464-1ffe-470c-9c32-787b925b73b2
Johnson Controls exacqVision Server | CVSS 6.7 - OTPulse