Johnson Controls exacqVision Server web service

Monitor6.8ICS-CERT ICSA-24-214-02Aug 1, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A cross-domain request vulnerability in exacqVision Web Service allows an attacker to send unauthorized requests to or access data from an untrusted domain. Successful exploitation could allow unauthorized data access or system manipulation. The vulnerability requires user interaction and high attack complexity. No public exploitation has been reported.

What this means

What could happen

An attacker could send unauthorized requests to or access data from an untrusted domain on the exacqVision Web Service, potentially exposing video surveillance data or allowing manipulation of system settings without proper authentication.

Who's at risk

Video surveillance system operators and building automation managers using Johnson Controls exacqVision Web Service should prioritize this vulnerability. The risk is highest for systems that are internet-accessible or exposed to untrusted networks.

How it could be exploited

An attacker would need to trick a user into clicking a malicious link or visiting a crafted webpage that triggers a cross-domain request to the exacqVision Web Service. The vulnerable service would honor the request from an untrusted domain, allowing data theft or modification of configurations.

Prerequisites

User interaction required - attacker must trick a user into visiting a malicious webpage
Network access to the exacqVision Web Service from the attacker's domain
exacqVision Web Service accessible from a web browser (not isolated to internal network only)

remotely exploitableuser interaction requiredhigh attack complexityaffects video surveillance and building automation systems

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

exacqVision Web Service: 22.12.1.022.12.1.024.06

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict network access to exacqVision Web Service - do not expose to the internet; isolate behind firewall and restrict to authorized workstations only

HARDENINGIf remote access is required, implement VPN with authentication and keep VPN software updated

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate exacqVision Web Service to version 24.06 or later

CVEs (1)

CVE-2024-32862

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/72ba36ad-cec1-47ab-bc6e-5ef944fac443