OTPulse
FeedAboutContact

Johnson Controls exacqVision (Update A)

Act Now6.8ICS-CERT ICSA-20-170-01Jun 18, 2020
Attack VectorNetwork
Auth RequiredHigh
ComplexityHigh
User InteractionRequired
Summary

A vulnerability in Johnson Controls exacqVision Web Service (all versions through 20.06.3.0) and Enterprise Manager (all versions through 20.06.4.0) allows an attacker with administrative privileges to upload and execute malicious code. Successful exploitation could enable the attacker to run arbitrary operating system commands on the affected system. The vulnerability is related to improper certificate or signature validation (CWE-347).

What this means
What could happen
An attacker with admin credentials could upload and execute a malicious program on the exacqVision system, potentially giving them command-line access to run arbitrary operating system commands on the server.
Who's at risk
Security and surveillance system operators and administrators at facilities using Johnson Controls exacqVision for video management and building automation. This includes water utilities, electric utilities, and other critical infrastructure using exacqVision for site security monitoring.
How it could be exploited
An attacker with valid administrative account credentials logs into the exacqVision Web Service or Enterprise Manager interface, uploads a malicious executable file, and triggers execution to gain OS-level command execution on the host system.
Prerequisites
  • Valid administrative credentials for exacqVision Web Service or Enterprise Manager
  • Network access to the exacqVision web interface (typically port 80/443)
  • Ability to interact with the file upload/execution feature in the admin console
admin credentials requiredhigh skill level needed to exploithigh EPSS score (17.8%)no patch available for Web Serviceno patch available for Enterprise Manager
Exploitability
High exploit probability (EPSS 17.8%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
exacqVision Web Service: All≤ 20.06.3.0v20.06.4 or higher
exacqVision Enterprise Manager: All≤ 20.06.4.0v20.06.5 or higher
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGApply least-privilege principle to administrative account access; restrict admin credentials to authorized personnel only
HARDENINGImplement network access controls to limit who can reach the exacqVision web interface (e.g., restrict to engineering workstations on a specific subnet)
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade exacqVision Web Service to version 20.06.4 or higher
HOTFIXUpgrade exacqVision Enterprise Manager to version 20.06.5 or higher
Long-term hardening
0/1
HARDENINGImplement multi-factor authentication for administrative accounts if the product supports it
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/897ca611-fd3e-4863-8982-bb4766846fd1