Johnson Controls exacqVision

Plan Patch7.5ICS-CERT ICSA-21-280-03Oct 7, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An integer overflow vulnerability in exacqVision Server 32-bit (version 21.06.11.0 and earlier) allows an unauthenticated remote user to send a specially crafted script that causes a denial-of-service condition. The vulnerability is triggered by improper handling of numeric values in the input processing logic.

What this means

What could happen

An attacker could send a specially crafted script to an unpatched exacqVision Server and cause it to crash, disrupting video surveillance and access control monitoring across your facility.

Who's at risk

Organizations using Johnson Controls exacqVision Server 32-bit for video surveillance and access control management. This affects security operations centers and facility managers who rely on continuous video monitoring and visitor access tracking.

How it could be exploited

An attacker on the network (or the internet if the server is exposed) sends a malicious script to the exacqVision Server that triggers an integer overflow, crashing the service and causing a denial of service to video surveillance and access control operations.

Prerequisites

Network access to exacqVision Server on its listening port
No authentication required
exacqVision Server 32-bit version 21.06.11.0 or earlier must be running

remotely exploitableno authentication requiredlow complexityaffects surveillance/security systemsaffects building automation

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

exacqVision Server 32-bit:≤ 21.06.11.021.09

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to exacqVision Server port to authorized workstations and limit internet exposure using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade exacqVision Server 32-bit to version 21.09 or later

HOTFIXMigrate to exacqVision Server 64-bit (alternative to patching 32-bit version)

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the exacqVision Server from untrusted networks

CVEs (1)

CVE-2021-27665

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/720dd676-482c-42bf-90ab-5be7d029a0cf