Johnson Controls exacqVision Server Bundle

Act Now9.8ICS-CERT ICSA-21-280-01Oct 7, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An unauthenticated remote user can access credentials stored in exacqVision Server. The vulnerability exists in exacqVision Web Service version 21.06.11.0 and earlier due to improper access controls (CWE-269). Successful exploitation exposes stored credentials that could be used to compromise building automation systems and surveillance infrastructure. Johnson Controls recommends upgrading to exacqVision Web Service Version 21.09.

What this means

What could happen

An unauthenticated attacker on the network can retrieve stored credentials from exacqVision Server without authentication, allowing them to gain access to surveillance system credentials and potentially compromise the entire video surveillance infrastructure.

Who's at risk

Organizations using Johnson Controls exacqVision Server Bundle for video surveillance and building automation should prioritize this. The vulnerability affects surveillance system administrators and facility managers who rely on this platform for security monitoring across their operations.

How it could be exploited

An attacker with network access to the exacqVision Web Service sends unauthenticated requests to extract stored credentials from the service. These credentials can then be used to access other parts of the surveillance system or integrated building automation systems.

Prerequisites

Network access to exacqVision Web Service (port typically 80/443)
Affected version running (exacqVision Web Service 21.06.11.0 or earlier)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects video surveillance infrastructurecredential exposure

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

exacqVision Web Service:≤ 21.06.11.0Version 21.09

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to exacqVision Web Service to authorized users only; place the service behind a firewall and do not expose to the Internet

WORKAROUNDRotate all credentials stored in or accessible through exacqVision Server after patching

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade exacqVision Web Service to Version 21.09 or later

Long-term hardening

0/1

HARDENINGIf remote access is required, implement a VPN with current patches and access controls

CVEs (1)

CVE-2021-27664

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9c8476a9-47cd-4830-8630-cbc51abfb8f3