Priva TopControl Suite

Plan PatchCVSS 7.5ICS-CERT ICSA-22-356-01Dec 22, 2022

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A credential exposure vulnerability in Priva TopControl Suite versions before 8.7.8.0 allows remote attackers to obtain login credentials without authentication. Affected components include Bacnet, Blue ID, Compass, Connect, and TPC modules. Successful exploitation could allow an attacker to access the system remotely and view or manipulate building automation configurations. The vendor recommends upgrading to TopControl Suite 8.7.8.0 or later. At the time of this advisory, the fix was available from Priva support.

What this means

What could happen

An attacker could obtain login credentials and gain unauthorized remote access to the TopControl Suite, potentially allowing them to view or manipulate HVAC, building management, or other automated system configurations controlled by the platform.

Who's at risk

Building automation and HVAC system operators who use Priva TopControl Suite (Bacnet, Blue ID, Compass, Connect, or TPC modules) should be concerned. This affects any facility with automated climate control, lighting, or building management systems powered by TopControl—primarily commercial buildings, data centers, and municipal facilities.

How it could be exploited

The vulnerability allows credential extraction from the TopControl Suite application. An attacker with network access to the application could retrieve stored or transmitted credentials without authentication, then use those credentials to log in remotely and access system controls.

Prerequisites

Network access to the TopControl Suite application port
The application must be reachable from the attacker's network location
No valid credentials required for the initial exploitation of the credential exposure

Remotely exploitableNo authentication required for credential extractionLow complexity attackNo patch available at time of advisoryAffects building automation and control systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

TopControl Suite: Bacnet: All< 8.7.8.08.7.8.0

TopControl Suite: Blue ID: All< 8.7.8.08.7.8.0

TopControl Suite: Compass: All< 8.7.8.08.7.8.0

TopControl Suite: Connect: All< 8.7.8.08.7.8.0

TopControl Suite: TPC: All< 8.7.8.08.7.8.0

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to TopControl Suite to authorized users only; ensure the application is not accessible from the Internet or untrusted networks

HARDENINGPlace TopControl Suite behind a firewall and isolate the network segment from business networks

WORKAROUNDIf remote access to TopControl Suite is required, implement a VPN with current security updates and restrict access to specific authorized personnel

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all TopControl Suite components (Bacnet, Blue ID, Compass, Connect, TPC) to version 8.7.8.0 or later

CVEs (1)

CVE-2022-3010

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/10930044-dbf2-488a-b94b-ecca7b93f31d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.