Johnson Controls Kantech EntraPass

Plan Patch8.8ICS-CERT ICSA-20-147-02May 26, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls Kantech EntraPass versions 8.22 and earlier contain an improper privilege restriction vulnerability (CWE-284) that allows local users with low-level privileges to escalate their access to application administrator level. This affects all three product editions: Corporate Edition, Global Edition, and Special Edition. The vulnerability is not remotely exploitable and requires interactive local access with standard user credentials.

What this means

What could happen

An attacker with local access and low-level user privileges on an EntraPass system could gain complete control of the access control application, including the ability to modify security policies, disable alarms, or unlock doors.

Who's at risk

Organizations running Johnson Controls Kantech EntraPass access control systems should be concerned, particularly those managing building security, physical access to critical infrastructure, or facilities with sensitive areas. This affects all three product editions (Corporate, Global, Special) up to version 8.22.

How it could be exploited

An attacker with local interactive access to an EntraPass workstation running version 8.22 or earlier, with at least standard user credentials, could exploit improper privilege restrictions to escalate their access level to application administrator. From this elevated state, they could modify access control policies, disable security features, or manipulate door lock states.

Prerequisites

Local interactive access to an EntraPass workstation
Standard user account credentials (no administrator rights required)
EntraPass version 8.22 or earlier running on the system

No patch available for affected versionsLocal access required but low privilege escalation barrierAffects access control systems (physical security)Low EPSS score but high CVSS indicates impact severity

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Corporate Edition: All≤ v8.228.23

Global Edition: All≤ v8.228.23

Special Edition: All≤ v8.228.23

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGEnforce least privilege access controls - restrict user account permissions to only the minimum necessary for job functions

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EntraPass Corporate Edition to Version 8.23 or later

HOTFIXUpgrade EntraPass Global Edition to Version 8.23 or later

HOTFIXUpgrade EntraPass Special Edition to Version 8.23 or later

CVEs (1)

CVE-2020-9046

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f0d2963c-b21a-4085-a98d-f0871833d267