Johnson Controls Sensormatic Electronics Illustra

Act NowCVSS 7.8ICS-CERT ICSA-21-245-01Sep 2, 2021

Johnson Controls

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A privilege escalation vulnerability in Johnson Controls Sensormatic Illustra IP cameras allows a local user with an existing account on the device to gain superuser (root) access to the underlying Linux operating system. This affects Pro Gen 3 (all versions before 2.8.0), Flex Gen 2 (all versions before 1.9.4), Insight (all versions before 1.4.0), and Pro 2 (all versions, end-of-life). The vulnerability is not remotely exploitable and requires local login capability. Johnson Controls has released fixed firmware versions 2.8.0 (Pro Gen 3), 1.9.4 (Flex Gen 2), and 1.4.0 (Insight). Pro 2 will not receive a patch.

What this means

What could happen

A local attacker with user-level access to a Sensormatic Illustra device could gain superuser (root) privileges on the underlying Linux operating system, allowing them to modify camera settings, recordings, or disable surveillance entirely.

Who's at risk

Facilities and security operations teams managing Johnson Controls Sensormatic Illustra IP camera systems used for building surveillance and access control. This affects Pro Gen 3, Flex Gen 2, Insight, and Pro 2 (end-of-life) models deployed in schools, office buildings, manufacturing plants, and utilities for CCTV monitoring.

How it could be exploited

An attacker with physical access or existing low-privilege user account on the device exploits a privilege escalation flaw to gain root access. This requires local login; the vulnerability is not remotely exploitable.

Prerequisites

Local user account on the Illustra device (physical access or existing user credentials)
Login capability to the device operating system

actively exploited (KEV)local exploit onlyprivilege escalationaffects all versions of multiple product linesPro 2 end-of-life with no patch availablehigh EPSS score (92.5%)

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Insight: All< 1.4.02.8.0

Pro 2: All versionsAll versions2.8.0

Flex Gen 2: All< 1.9.42.8.0

Pro Gen 3: All< 2.8.02.8.0

Remediation & Mitigation

0/6

Do now

0/4

HOTFIXUpgrade Pro Gen 3 devices to firmware version 2.8.0 or later

HOTFIXUpgrade Flex Gen 2 devices to firmware version 1.9.4 or later

HOTFIXUpgrade Insight devices to firmware version 1.4.0 or later

HARDENINGRestrict physical access to Sensormatic Illustra devices to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGConfigure devices to use strong authentication and enforce least-privilege principles for user accounts

Long-term hardening

0/1

HARDENINGPlan decommissioning of Pro 2 systems, which are end-of-life and will not receive security updates

CVEs (1)

CVE-2021-3156

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5822adf8-dc0c-443d-98dd-6d4ceecd8417

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.