Johnson Controls exacqVision Web Service

Monitor6.8ICS-CERT ICSA-24-214-03Aug 1, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Johnson Controls exacqVision Web Service versions 24.03 and earlier contain a cross-site request forgery (CSRF) vulnerability (CWE-352) that could allow an attacker to perform administrative state-changing operations with elevated privileges. The vulnerability requires network access to the web service, user interaction (victim must click a malicious link while logged in), and has high attack complexity. No public exploitation has been reported. Johnson Controls has released a fix in version 24.06.

What this means

What could happen

An attacker with network access to the web service could perform administrative actions like changing camera settings, deleting video, or altering system configuration without proper authorization. Since this is a video management system, an attacker could also blind security monitoring by disabling cameras or deleting recordings.

Who's at risk

Organizations operating Johnson Controls exacqVision Web Service for video surveillance and security monitoring, including municipal facilities, utilities, water treatment plants, and any industrial or commercial operation relying on video management systems.

How it could be exploited

An attacker sends a specially crafted request that bypasses CSRF (Cross-Site Request Forgery) protections to the exacqVision Web Service. If a user with administrative privileges is logged in and visits the attacker's malicious page or link, the attacker's request is executed with the admin's privileges. The attacker can then perform state-changing operations like disabling cameras, deleting video archives, or modifying system settings.

Prerequisites

Network access to exacqVision Web Service web interface (port 80/443 typically)
Admin user must be logged in to the service when the malicious request is sent
User interaction required: victim must click a link or visit a web page controlled by attacker

Remotely exploitableHigh attack complexity (reduces exploitability)User interaction required (reduces exploitability)Affects security monitoring capabilityCan cause loss of video evidence

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

exacqVision Web Service: <=24.03≤ 24.0324.06

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to exacqVision Web Service to authorized personnel only using firewall rules and access controls

WORKAROUNDTrain users not to click suspicious links in emails while logged into exacqVision, especially from external sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate exacqVision Web Service to version 24.06 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate the video management system from internet-facing networks and untrusted business network segments

HARDENINGDeploy a VPN or secure remote access solution if remote administrative access to exacqVision is required

CVEs (1)

CVE-2024-32863

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5aece4d2-4f1b-44c0-86a5-a1e84f3dbb86