OTPulse

Sensormatic Electronics victor

Act NowCVSS 7.8ICS-CERT ICSA-21-301-01Oct 28, 2021
Johnson Controls
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

Johnson Controls Victor physical security system versions 5.7 and earlier contain a privilege escalation vulnerability (CWE-798, likely hardcoded credentials) that allows a local user with valid credentials to gain unauthorized elevated privileges. This affects door access control, badge reading systems, and alarm management functionality. The vulnerability is exploitable only with local or console access and requires valid user-level credentials but does not require high technical complexity to exploit.

What this means
What could happen
An attacker with local access and low-level user credentials could gain elevated system privileges on the Victor physical security system, potentially allowing them to modify access control settings, disable alarms, or alter audit logs.
Who's at risk
Organizations operating Johnson Controls Victor physical security and access control systems, particularly those using versions 5.7 and earlier. This affects facilities that depend on Victor for door access control, badge readers, and alarm management in buildings such as corporate offices, data centers, hospitals, and utility control facilities.
How it could be exploited
An attacker with valid user credentials and local physical or console access to a Victor system running version 5.7 or earlier can exploit a hardcoded credential or privilege escalation flaw (likely in the SIP feature) to gain administrative privileges without requiring elevated credentials initially.
Prerequisites
  • Valid user credentials for the Victor system
  • Local or console access to the device (not remotely exploitable)
  • Victor version 5.7 or earlier
  • SIP feature enabled (if applicable to the affected version)
Hardcoded or weak credentials (CWE-798)High EPSS score (78.2%)Privilege escalation impactAffects security-critical systems (access control)Local access required but low complexity
Exploitability
Likely to be exploited — EPSS score 78.2%
Metasploit module available — weaponized exploitView module ↗
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (1)
ProductAffected VersionsFix Status
victor:≤ 5.75.7.1
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDDisable the SIP feature in Victor versions prior to 5.7.1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Victor to version 5.7.1 or later
Long-term hardening
0/2
HARDENINGRestrict local and console access to Victor systems through physical security controls and network segmentation
HARDENINGImplement strong authentication controls and audit logging for administrative access
View full CISA ICS-CERT advisory
API: /api/v1/advisories/980fb0aa-09ec-4d68-a0e3-e355e3428e35

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Sensormatic Electronics victor | CVSS 7.8 - OTPulse