CVE-2024-32758 Johnson Controls Inc. CVE debrief

Who should care

Organizations operating Johnson Controls exacqVision video surveillance and physical security systems, particularly in critical infrastructure, commercial facilities, and government installations where video integrity and confidentiality are essential.

Technical summary

The exacqVision video management platform fails to enforce adequate cryptographic key length and exchange mechanisms in client-server communications under specific conditions. This weakness could allow network-positioned attackers to downgrade or intercept encrypted sessions. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H reflects network attack vector with high complexity requiring user interaction but yielding complete confidentiality, integrity, and availability impact across changed scope.

Defensive priority

HIGH

Recommended defensive actions

• Update exacqVision Client and exacqVision Server to version 24.06 or later per vendor guidance.
• Apply password hardening measures per the exacqVision Hardening Guide Password Strengthening section.
• Review Johnson Controls Product Security Advisory JCI-PSA-2024-14 for detailed mitigation instructions.
• Implement network segmentation for building automation systems per CISA ICS recommended practices.
• Monitor for anomalous network traffic between exacqVision client and server endpoints.

Evidence notes

CISA ICS advisory ICSA-24-214-01 documents that communications between exacqVision Server and exacqVision Client use insufficient key length and exchange under certain circumstances. The advisory was published 2024-08-01 with CVSS 3.1 score 8.3 (HIGH).

Official resources