OTPulse
FeedAboutContact

Johnson Controls CKS CEVAS

Act Now10ICS-CERT ICSA-22-298-05Oct 25, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls CEVAS systems (versions before 1.01.46) contain an SQL injection vulnerability in the authentication mechanism (CWE-79). An attacker can craft malicious SQL queries to bypass authentication and retrieve sensitive data from the CEVAS database. The vulnerability affects all CEVAS installations that have not been upgraded to v1.01.46. Johnson Controls has released a patched version but users must contact CKS for assistance with the upgrade.

What this means
What could happen
An attacker could bypass authentication on CEVAS and execute SQL injection attacks to retrieve sensitive data, potentially exposing building system configurations and operational data critical to facility management.
Who's at risk
Building automation and energy management operators using Johnson Controls CEVAS systems for facility control, HVAC management, and security system integration. This affects CEVAS deployments in commercial buildings, hospitals, data centers, and municipal facilities.
How it could be exploited
An attacker with network access to CEVAS sends specially crafted SQL queries to the authentication mechanism. Because the application does not properly validate user input, the SQL injection bypasses authentication checks, allowing the attacker to extract data directly from the database without valid credentials.
Prerequisites
  • Network access to CEVAS port or web interface
  • No credentials required—authentication bypass is the vulnerability itself
remotely exploitableno authentication requiredlow complexitycritical severityhigh CVSS (10.0)SQL injection enables data exfiltrationno patch available for older versions
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
CEVAS - All CEVAS< 1.01.461.01.46
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to CEVAS from trusted engineering workstations and management systems only; block all external and unauthorized internal access
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CEVAS to version 1.01.46 or later by contacting Johnson Controls CKS for upgrade assistance
Long-term hardening
0/2
HARDENINGPlace CEVAS behind a firewall and isolate from business network and Internet access
HARDENINGIf remote access to CEVAS is required, implement a VPN with current security patches; restrict VPN access to authorized personnel only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3d5e357a-84e7-4d87-9b92-5a67f581280e
Johnson Controls CKS CEVAS | CVSS 10 - OTPulse