Johnson Controls exacqVision Server

MonitorCVSS 6.4ICS-CERT ICSA-24-214-05Aug 1, 2024

Johnson Controls

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Johnson Controls exacqVision Server versions 24.03 and earlier contain a TLS validation vulnerability (CWE-295) that allows an attacker on the same network segment to perform a man-in-the-middle attack and intercept communications between the Client and Server. This could allow interception of surveillance video streams and potential manipulation of control commands. The vulnerability requires the attacker to be on the same network segment and has high attack complexity, but no authentication is required. The advisory does not report active exploitation in the wild.

What this means

What could happen

An attacker could intercept and potentially modify communications between exacqVision Client and Server if they are on the same network segment, compromising the integrity of video surveillance data and control commands in security monitoring systems.

Who's at risk

Organizations operating video surveillance and physical security monitoring systems using Johnson Controls exacqVision Server should prioritize this fix. This affects security monitoring stations, command centers, and any facility relying on exacqVision for centralized video surveillance and event management.

How it could be exploited

An attacker positioned on the same network segment (AV:A) as the exacqVision Client and Server could perform a man-in-the-middle attack to intercept unencrypted or inadequately validated TLS communications. The attack requires user interaction (e.g., clicking a malicious link) and has high complexity, but if successful allows interception of surveillance data and potential command injection.

Prerequisites

Network access to the same network segment (AV:A) as exacqVision Client and Server
User interaction required (UI:R) - likely a user action to trigger the vulnerable code path
No authentication required (PR:N)
High attack complexity - specific conditions must be met for exploitation

Man-in-the-middle attack vectoraffects security/surveillance systemsrequires network adjacency (reduces risk but still exploitable in shared network environments)user interaction requiredhigh attack complexity

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

exacqVision Server: <=24.03≤ 24.0324.06

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to exacqVision devices to authorized surveillance workstations and monitoring stations only

WORKAROUNDIf remote access is required, use a VPN to encrypt communications between remote clients and the exacqVision Server

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate exacqVision Client to version 24.06 or later

HOTFIXUpdate exacqVision Server to version 24.06 or later

Long-term hardening

0/1

HARDENINGIsolate exacqVision Server and Client devices from business networks using firewalls and network segmentation

CVEs (1)

CVE-2024-32865

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f3eedd0b-2c50-42da-8a6d-51a3c4f96fd9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.