Johnson Controls Exacq Technologies exacqVision

Monitor5.3ICS-CERT ICSA-21-077-01Mar 18, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An unauthenticated attacker can view system-level information about the exacqVision Web Service and operating system through a network-accessible vulnerability. This affects all exacqVision Web Service versions up to v20.12.02.0.

What this means

What could happen

An attacker could view system-level information about the exacqVision Web Service and the operating system, potentially exposing configuration details that could aid further attacks on your video management infrastructure.

Who's at risk

Video management system operators and security personnel managing Johnson Controls exacqVision deployments in utilities, municipalities, and critical infrastructure facilities need to address this information disclosure vulnerability affecting all versions up to v20.12.02.0.

How it could be exploited

An attacker on your network could send an unauthenticated request to the exacqVision Web Service to retrieve sensitive system information without any credentials or interaction from a user.

Prerequisites

Network access to the exacqVision Web Service port (typically HTTP/HTTPS)
No authentication required
Service must be reachable from the attacker's network location

remotely exploitableno authentication requiredlow complexityno patch available for older versions

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

exacqVision Web Service: All supported≤ v20.12.02.0v21.03 or higher

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to exacqVision Web Service from trusted networks only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade exacqVision Web Service to v21.03 or higher

Long-term hardening

0/2

HARDENINGPlace exacqVision Web Service on a separate network segment isolated from the Internet and business network

HARDENINGIf remote access to exacqVision is required, use a VPN with current security updates

CVEs (1)

CVE-2021-27656

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a025d66b-faad-49b3-8188-df211f462521