Johnson Controls Sensormatic Electronics VideoEdge
Act Now7.8ICS-CERT ICSA-21-147-02May 27, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A privilege escalation vulnerability in Johnson Controls Sensormatic Electronics VideoEdge allows a local authenticated user to gain administrative access under specific circumstances. The vulnerability is present in VideoEdge versions earlier than 5.7.0. VideoEdge 5.4.1 and older versions cannot be patched and must be upgraded. For VideoEdge 5.4.2 and 5.6.0, American Dynamics has released a sudo patch available from their support website.
What this means
What could happen
An authenticated local user could exploit a privilege escalation flaw to gain administrative access to the VideoEdge recorder, potentially allowing them to modify video recordings, alter configurations, or disable security monitoring.
Who's at risk
Security operations and surveillance personnel at water authorities, electric utilities, and critical infrastructure facilities rely on VideoEdge video recording and monitoring systems. An authenticated insider with terminal access could escalate privileges, potentially compromising the integrity of security recordings or disabling surveillance during critical events.
How it could be exploited
An attacker with local access to a VideoEdge system and valid user credentials could exploit a privilege escalation vulnerability to escalate privileges from standard user to administrator. This requires physical or terminal access to the device.
Prerequisites
- Local access to the VideoEdge system (physical terminal or console)
- Valid user account credentials (not administrative)
- Unpatched VideoEdge version earlier than 5.7.0
actively exploited (KEV)high CVSS (7.8)very high EPSS (92.5%)affects security systemslocal authentication required
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
VideoEdge:< 5.7.05.7.0
Remediation & Mitigation
0/6
Do now
0/5HOTFIXUpgrade VideoEdge to version 5.7.0 or later
HOTFIXApply sudo patch available from American Dynamics website for VideoEdge 5.4.2 and 5.6.0 (contact technical support)
HOTFIXUpgrade VideoEdge 5.4.1 and older systems to version 5.7.0
HARDENINGRestrict physical access to VideoEdge recording devices and control room terminals
HARDENINGEnforce strong password policies and limit local user accounts to necessary personnel only
Long-term hardening
0/1HARDENINGIsolate VideoEdge systems from business network; restrict remote access via VPN only when required
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2c341c6c-e283-47ff-859f-8b75d344f11a