PatchSiren cyber security CVE debrief
CVE-2024-32757 Johnson Controls, Inc. CVE debrief
A medium-severity information disclosure vulnerability in Johnson Controls Illustra Essential Gen 4 cameras allows unnecessary user details to be written to system logs under certain conditions. The issue was disclosed by CISA on June 27, 2024, with an advisory update on July 2, 2024, revising the mitigation schedule. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N) indicates network attack vector, low complexity, high privileges required, no user interaction, changed scope, and high confidentiality impact—yielding a score of 6.8. Affected versions are Illustra Essential Gen 4 cameras running firmware version Illustra.Ess4.01.02.10.5982 and earlier. Johnson Controls has released firmware version Illustra.Ess4.01.02.13.6953 to address this issue. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no known ransomware campaign use has been reported.
- Vendor
- Johnson Controls, Inc.
- Product
- Illustra Essential Gen 4
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-27
- Original CVE updated
- 2024-07-02
- Advisory published
- 2024-06-27
- Advisory updated
- 2024-07-02
Who should care
Organizations deploying Johnson Controls Illustra Essential Gen 4 cameras in physical security and building automation environments, particularly those subject to data protection requirements or with shared administrative access to camera systems.
Technical summary
The vulnerability exists in the logging functionality of Illustra Essential Gen 4 cameras, where user details that are not required for system operation may be recorded in system logs. This information disclosure could expose sensitive user data to administrators or attackers with access to log files. The issue requires high privileges to exploit (PR:H) but is remotely accessible (AV:N) with low attack complexity (AC:L). The changed scope (S:C) and high confidentiality impact (C:H) reflect potential exposure of sensitive information across security boundaries. The fix involves updating camera firmware to version Illustra.Ess4.01.02.13.6953, which eliminates unnecessary user detail logging.
Defensive priority
medium
Recommended defensive actions
- Upgrade affected Illustra Essential Gen 4 cameras to firmware version Illustra.Ess4.01.02.13.6953 or later per Johnson Controls Product Security Advisory JCI-PSA-2024-10 v1
- Review system logs for exposure of unnecessary user details and implement log access controls
- Apply network segmentation for building automation systems per CISA ICS recommended practices
- Monitor Johnson Controls product security advisories for additional security notices
Evidence notes
CISA ICS advisory ICSA-24-179-06 (initial publication 2024-06-27, Update A 2024-07-02) documents this vulnerability. Johnson Controls Product Security Advisory JCI-PSA-2024-10 v1 provides vendor mitigation guidance. CVSS vector and score confirmed via CISA CSAF source data.
Official resources
-
CVE-2024-32757 CVE record
CVE.org
-
CVE-2024-32757 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-27