Priva TopControl Suite
Plan Patch7.5ICS-CERT ICSA-22-356-01Dec 22, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A credential exposure vulnerability in Priva TopControl Suite versions before 8.7.8.0 allows remote attackers to obtain login credentials without authentication. Affected components include Bacnet, Blue ID, Compass, Connect, and TPC modules. Successful exploitation could allow an attacker to access the system remotely and view or manipulate building automation configurations. The vendor recommends upgrading to TopControl Suite 8.7.8.0 or later. At the time of this advisory, the fix was available from Priva support.
What this means
What could happen
An attacker could obtain login credentials and gain unauthorized remote access to the TopControl Suite, potentially allowing them to view or manipulate HVAC, building management, or other automated system configurations controlled by the platform.
Who's at risk
Building automation and HVAC system operators who use Priva TopControl Suite (Bacnet, Blue ID, Compass, Connect, or TPC modules) should be concerned. This affects any facility with automated climate control, lighting, or building management systems powered by TopControl—primarily commercial buildings, data centers, and municipal facilities.
How it could be exploited
The vulnerability allows credential extraction from the TopControl Suite application. An attacker with network access to the application could retrieve stored or transmitted credentials without authentication, then use those credentials to log in remotely and access system controls.
Prerequisites
- Network access to the TopControl Suite application port
- The application must be reachable from the attacker's network location
- No valid credentials required for the initial exploitation of the credential exposure
Remotely exploitableNo authentication required for credential extractionLow complexity attackNo patch available at time of advisoryAffects building automation and control systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
TopControl Suite: Bacnet: All< 8.7.8.08.7.8.0
TopControl Suite: Blue ID: All< 8.7.8.08.7.8.0
TopControl Suite: Compass: All< 8.7.8.08.7.8.0
TopControl Suite: Connect: All< 8.7.8.08.7.8.0
TopControl Suite: TPC: All< 8.7.8.08.7.8.0
Remediation & Mitigation
0/4
Do now
0/3HARDENINGRestrict network access to TopControl Suite to authorized users only; ensure the application is not accessible from the Internet or untrusted networks
HARDENINGPlace TopControl Suite behind a firewall and isolate the network segment from business networks
WORKAROUNDIf remote access to TopControl Suite is required, implement a VPN with current security updates and restrict access to specific authorized personnel
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade all TopControl Suite components (Bacnet, Blue ID, Compass, Connect, TPC) to version 8.7.8.0 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/10930044-dbf2-488a-b94b-ecca7b93f31d