Automated Logic WebCTRL Premium Server

Plan PatchCVSS 10ICS-CERT ICSA-24-326-01Nov 21, 2024

Johnson ControlsCarrier

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WebCTRL Server and related Automated Logic/Carrier products contain two vulnerabilities (CWE-434 unrestricted file upload, CWE-601 open redirect) that allow unauthenticated remote attackers to execute arbitrary commands on the server or redirect users to malicious sites. Affected versions: WebCTRL 7.0, Carrier i-Vu 7.0, SiteScan Web 7.0, and WebCTRL for OEMs 7.0. The vulnerabilities expose building automation systems to direct control compromise.

What this means

What could happen

An unauthenticated attacker could execute arbitrary commands on the WebCTRL server, potentially altering building automation controls, disabling climate or security systems, or redirecting facility operators to malicious sites. This affects every automated building system managed by the server.

Who's at risk

Building automation and facilities management personnel managing WebCTRL-based systems. This includes facilities operated by Johnson Controls and Carrier i-Vu deployments, heating/cooling systems, lighting control, and security systems integrated with WebCTRL or SiteScan Web. Any organization using version 7.0 of these products is at immediate risk.

How it could be exploited

An attacker on the network (or from the internet if the server is exposed) sends a malicious file upload or crafted request to the WebCTRL server. The server fails to validate the upload or redirect, allowing the attacker to execute code directly on the building management system.

Prerequisites

Network reachability to the WebCTRL server (HTTP/HTTPS ports)
No authentication required—server accepts requests from unauthenticated sources

Remotely exploitableNo authentication requiredLow complexity attackCritical severity (CVSS 10)Affects building safety and operationsVersion 7.0 no longer supported (end-of-life)

Exploitability

Some exploitation risk — EPSS score 1.7%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

WebCTRL Server: 7.07.08.0

Carrier i-Vu: 7.07.08.0

SiteScan Web: 7.07.08.0

WebCTRL for OEMs: 7.07.08.0

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to WebCTRL servers: do not expose HTTP/HTTPS ports to the internet or untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WebCTRL Server, Carrier i-Vu, SiteScan Web, and WebCTRL for OEMs to version 8.0 or later

Long-term hardening

0/3

HARDENINGPlace WebCTRL servers behind a firewall and isolate the building automation network from business networks

HARDENINGIf remote access is required, implement a VPN with current security updates; do not expose the server directly to the internet

HARDENINGReview and implement Automated Logic Security Best Practices Checklists for Building Automation Systems

CVEs (2)

CVE-2024-8525 CVE-2024-8526

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3e83b0cc-17e0-4cd2-aee9-29153bfe97c2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.