OTPulse
FeedAboutContact

Johnson Controls exacqVision Web Service

Monitor6.4ICS-CERT ICSA-24-214-04Aug 1, 2024
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

exacqVision Web Service versions 24.03 and earlier are vulnerable to man-in-the-middle attacks due to insufficient encryption of sensitive communications. An attacker on the same local network could intercept traffic to capture credentials, video access tokens, or other sensitive data transmitted between clients and the web service. The vulnerability affects the security camera and video management system, potentially allowing unauthorized access to recorded footage and live camera feeds.

What this means
What could happen
An attacker could intercept communications with the exacqVision Web Service to capture sensitive information such as credentials or recorded video access. This could lead to unauthorized access to security camera systems and video footage across your facility.
Who's at risk
This affects organizations using Johnson Controls exacqVision Web Service for surveillance and video management. Critical to water utilities and electric utilities that rely on security camera systems for facility monitoring and incident response, as well as any industrial facility using exacqVision for physical security.
How it could be exploited
An attacker must be on the same local network segment as the exacqVision Web Service and intercept unencrypted communications between clients and the service. They would need to perform a man-in-the-middle attack by positioning themselves on the network path to capture or modify data in transit.
Prerequisites
  • Network access to the same local network segment as exacqVision Web Service
  • Ability to intercept network traffic (e.g., ARP spoofing, compromised network switch port, or shared network segment)
  • User interaction required (attacker must intercept an active client session)
Affects security camera systemsMan-in-the-middle attack possible on local networkHigh attack complexity (requires specific network positioning)No patch currently availableSensitive information exposure (credentials, video footage)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
exacqVision Web Service: <=24.03≤ 24.0324.06
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGEnsure exacqVision Web Service is not accessible from the internet
WORKAROUNDIf remote access is required, use a VPN to establish secure tunnels and keep VPN software updated
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate exacqVision Web Service to version 24.06 or later
Long-term hardening
0/1
HARDENINGIsolate exacqVision Web Service on a separate network segment from business networks using firewalls and VLANs
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/32cbeba4-419a-4948-961b-ca8eb7e4fd25
Johnson Controls exacqVision Web Service | CVSS 6.4 - OTPulse