PatchSiren cyber security CVE debrief
CVE-2024-32755 Johnson Controls, Inc. CVE debrief
A critical vulnerability in Johnson Controls Illustra Essentials Gen 4 cameras allows the web interface to accept unexpected characters under certain conditions, potentially enabling authentication bypass or command injection. The issue affects firmware versions up to and including Illustra.Ess4.01.02.10.5982. CISA published advisory ICSA-24-179-04 on June 27, 2024, with an update on July 2, 2024 revising the mitigation schedule. The CVSS 3.1 score of 9.1 reflects network attack vector, low complexity, high privileges required, no user interaction, changed scope, and high impacts to confidentiality, integrity, and availability. Johnson Controls has released firmware version Illustra.Ess4.01.02.13.6953 to address this vulnerability. Organizations should prioritize patching given the critical severity and network-accessible attack surface of these IP cameras commonly deployed in building automation and physical security environments.
- Vendor
- Johnson Controls, Inc.
- Product
- Illustra Essentials Gen 4
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-27
- Original CVE updated
- 2024-07-02
- Advisory published
- 2024-06-27
- Advisory updated
- 2024-07-02
Who should care
Organizations using Johnson Controls Illustra Essentials Gen 4 cameras for physical security and building automation, particularly those with cameras accessible from management networks or with web interfaces exposed beyond strictly controlled segments.
Technical summary
The Illustra Essentials Gen 4 camera web interface fails to properly validate input characters under specific conditions, allowing submission of characters outside expected ranges. This input validation weakness (CWE-20) with possible injection implications affects firmware through Illustra.Ess4.01.02.10.5982. The attack requires network access and high privileges but can result in complete system compromise across scope boundaries. Fixed in Illustra.Ess4.01.02.13.6953.
Defensive priority
critical
Recommended defensive actions
- Upgrade affected Illustra Essentials Gen 4 cameras to firmware version Illustra.Ess4.01.02.13.6953 or later
- Review Johnson Controls Product Security Advisory JCI-PSA-2024-09 v1 for detailed mitigation instructions
- Apply network segmentation to isolate camera management interfaces from untrusted networks
- Monitor for unauthorized access attempts to camera web interfaces
- Implement defense-in-depth strategies per CISA ICS recommended practices for building automation systems
Evidence notes
Vulnerability description and remediation guidance sourced from CISA CSAF advisory ICSA-24-179-04. Affected product version and fixed version confirmed through CSAF product tree and remediation sections. CVSS vector string provided in source references. Update A (July 2, 2024) modified mitigation schedule per revision history.
Official resources
-
CVE-2024-32755 CVE record
CVE.org
-
CVE-2024-32755 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-27