CVE-2024-32754 Johnson Controls, Inc. CVE debrief

Who should care

Organizations deploying Johnson Controls Kantech door controllers, particularly security teams managing physical access control infrastructure, facility managers responsible for building security systems, and OT/ICS security practitioners concerned with information exposure during device provisioning.

Technical summary

The vulnerability exists in the factory reset state of Kantech KT1, KT2, and KT400 door controllers. When awaiting initial setup, these devices broadcast identifying information including MAC address, serial number, and firmware version. This broadcast behavior terminates upon successful configuration. The attack vector is adjacent (AV:A) with high complexity (AC:H), requiring no privileges or user interaction. The confidentiality impact is low (C:L) with no integrity or availability impact. Affected versions are KT1/KT2 Rev01 firmware ≤2.09.01 and KT400 Rev01 firmware ≤3.01.16. Remediation requires firmware updates to specified minimum versions.

Defensive priority

low

Recommended defensive actions

• Update Kantech KT1 and KT2 Door Controllers to firmware version 3.10.12 or later
• Update Kantech KT400 Door Controller to firmware version 3.03 or later
• Complete initial device configuration promptly to exit factory reset mode
• Restrict physical and network access to devices during initial setup
• Consult Johnson Controls Product Security Advisory JCI-PSA-2024-13 v1 for detailed mitigation instructions

Evidence notes

CISA published advisory ICSA-24-184-01 on 2024-07-02. The source CSAF document identifies three affected product variants with specific firmware version thresholds. Johnson Controls has issued Product Security Advisory JCI-PSA-2024-13 v1 with detailed remediation guidance.

Official resources