OTPulse
FeedAboutContact

Johnson Controls exacq Enterprise Manager

Act Now10ICS-CERT ICSA-21-357-02Dec 23, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls exacq Enterprise Manager (all versions up to 21.12) is vulnerable to improper input validation that could allow an attacker to execute arbitrary code remotely without authentication. The vulnerability has been actively exploited in the wild.

What this means
What could happen
An attacker could execute arbitrary code on the Enterprise Manager server with no authentication required, potentially compromising the entire video surveillance infrastructure and any integrated systems.
Who's at risk
Video surveillance system operators using Johnson Controls exacq Enterprise Manager, including municipalities, utilities, facilities management, and security operations centers that rely on the platform for recording, management, and archival of video feeds.
How it could be exploited
An attacker sends malicious input over the network to a vulnerable Enterprise Manager instance. The application fails to validate the input, allowing arbitrary code execution on the server. This could be exploited remotely without credentials.
Prerequisites
  • Network access to the Enterprise Manager web interface or API port
  • No valid credentials required
Remotely exploitableNo authentication requiredLow complexityActively exploited (KEV)CVSS 10.0 (critical)EPSS 94.4% (very high exploit probability)No patch currently available
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
Exacq Enterprise Manager: All≤ 21.1221.12.1
Remediation & Mitigation
0/5
Do now
0/5
HOTFIXUpgrade exacq Enterprise Manager to version 21.12.1 or later
WORKAROUNDIf upgrade is not immediately feasible, request and apply manual mitigation steps from Johnson Controls Product Security Advisory JCI-PSA-2021-24 v1
HARDENINGIsolate Enterprise Manager and exacqVision NVRs from public-facing networks and the internet
HARDENINGPlace Enterprise Manager behind a firewall and isolate from the business network
HARDENINGIf remote access is required, restrict it to secure VPN connections with proper network segmentation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/11c9eb28-17a7-4e35-8738-c6db01986681
Johnson Controls exacq Enterprise Manager | CVSS 10 - OTPulse