Johnson Controls exacqVision Web Service

Monitor5.7ICS-CERT ICSA-24-214-06Aug 1, 2024

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Johnson Controls exacqVision Web Service contains an information disclosure vulnerability (CWE-598) affecting versions 24.03 and earlier. Successful exploitation allows an attacker with valid credentials to view sensitive information through the web interface.

What this means

What could happen

An authenticated attacker could view sensitive information accessible through the exacqVision Web Service interface, such as system configuration, video feeds, or user data. This could enable reconnaissance for further attacks or expose private surveillance footage.

Who's at risk

Security operations centers and video surveillance system administrators using Johnson Controls exacqVision Web Service, particularly in utilities, municipalities, critical infrastructure facilities, and commercial security operations. Anyone managing networked video surveillance or event management systems running exacqVision.

How it could be exploited

An attacker with valid login credentials accesses the exacqVision Web Service web interface over the network. By leveraging the CWE-598 information disclosure flaw, the attacker retrieves sensitive data that should be restricted. User interaction (clicking a link or opening content) may be required to trigger the leak.

Prerequisites

Valid login credentials for exacqVision Web Service
Network access to the exacqVision Web Service web interface (typically HTTPS port)
User interaction may be required to trigger the information disclosure

Requires valid authenticationUser interaction requiredLow CVSS score (5.7)Not actively exploitedAffects security/monitoring systems

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

exacqVision Web Service: <=24.03≤ 24.0324.06

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to exacqVision Web Service to authorized users only; do not expose to the internet

WORKAROUNDImplement firewall rules to limit access to the exacqVision Web Service to trusted IP addresses or VPN users only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate exacqVision Web Service to version 24.06 or later

Long-term hardening

0/1

HARDENINGEnforce strong password policies and multi-factor authentication for exacqVision Web Service user accounts

CVEs (1)

CVE-2024-32931

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/682d110f-4e1e-4f8a-bcbf-7f891aed12d2