Sensormatic Electronics C-CURE 9000 (Update A)

Plan Patch8.8ICS-CERT ICSA-21-182-02Jul 1, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A input validation vulnerability in C-CURE 9000 (all versions before 2.80) allows a remote attacker with valid user credentials to execute arbitrary Windows programs on the C-CURE 9000 server or connected client machines (Monitoring Station, Administration Workstation). The Auto Update feature is a known attack vector for this issue.

What this means

What could happen

An attacker with valid credentials could execute arbitrary Windows programs on the C-CURE 9000 server or connected clients, potentially disrupting security monitoring and access control operations across your facility.

Who's at risk

Security and access control operators at water utilities, electric utilities, and other critical infrastructure facilities running C-CURE 9000 physical security management systems. This includes facilities monitoring/control room operators and security administrators managing badge readers, cameras, and door locks.

How it could be exploited

An attacker with valid C-CURE 9000 user credentials could leverage an input validation flaw to execute arbitrary Windows programs on the server or client machines. The attack does not require additional user interaction and runs with the privileges of the C-CURE 9000 application.

Prerequisites

Valid C-CURE 9000 user account credentials
Network access to the C-CURE 9000 application port

remotely exploitablevalid credentials requiredaffects security system operationsinput validation flaw allows code execution

Exploitability

Moderate exploit probability (EPSS 1.2%)

Affected products (1)

ProductAffected VersionsFix Status

C-CURE 9000: All< 2.802.80

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDUninstall the C-CURE 9000 Auto Update feature (CCURE9000ClientAutoupdate) from all application servers and client machines (Monitoring Station, Administration Workstation)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade C-CURE 9000 to version 2.80 or later

Long-term hardening

0/1

HARDENINGRestrict network access to C-CURE 9000 ports to authorized administration workstations only

CVEs (1)

CVE-2021-27660

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3a9a744f-ac7d-4cd4-a915-dd9dc024b711