Exacq Technologies exacqVision Web Service

Monitor5.3ICS-CERT ICSA-21-180-01Jun 29, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

exacqVision Web Service versions 21.03 and earlier contain a cross-site scripting (XSS) vulnerability that allows an attacker to send malicious requests on behalf of an authenticated user. Successful exploitation could allow unauthorized actions within the surveillance system.

What this means

What could happen

An attacker could exploit cross-site scripting (XSS) to send malicious requests on behalf of a victim user of exacqVision Web Service, potentially allowing the attacker to perform unauthorized actions like modifying surveillance camera settings, disabling recording, or accessing video feeds.

Who's at risk

Water authorities and municipal utilities using exacqVision Web Service for surveillance and security camera management should be concerned. This affects any organization using exacqVision versions 21.03 or earlier for monitoring critical infrastructure like water treatment plants, pump stations, electrical substations, or other operational facilities.

How it could be exploited

An attacker crafts a malicious URL or embeds JavaScript code in a page viewed by an exacqVision Web Service user. When the user visits the link or page while authenticated to the web service, the attacker's code runs in the user's browser session and submits requests to the exacqVision system on the victim's behalf.

Prerequisites

User must be authenticated and actively logged into exacqVision Web Service
User must visit or click attacker-supplied link or visit compromised web page while authenticated
Network access to exacqVision Web Service interface (typically web browser on internal network)

Remotely exploitableNo authentication required from attacker perspectiveLow attack complexityAffects security and surveillance systems

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

exacqVision Web Service:≤ 21.0321.06

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDIf immediate upgrade is not possible, restrict web access to exacqVision Web Service to authenticated internal users only and apply web application firewall rules to block suspicious requests

HARDENINGPlace exacqVision Web Service behind a firewall and do not expose to the Internet; restrict access to internal network only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade exacqVision Web Service to version 21.06 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate surveillance system network from business network

CVEs (1)

CVE-2021-27659

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cdc6c154-ead1-4af6-938e-0133b9aff6d5