PatchSiren cyber security CVE debrief
CVE-2024-32759 Johnson Controls Inc. CVE debrief
Under certain circumstances, the Software House C●CURE 9000 installer utilizes weak credentials, creating a high-severity vulnerability in physical access control systems. The issue affects versions 2.80 and earlier, with a CVSS 3.1 score of 8.8 (HIGH). The vulnerability stems from the installer component rather than runtime operation, meaning the exposure window is primarily during initial deployment or reinstallation scenarios. Given the network-accessible nature of C●CURE 9000 systems and their role in critical infrastructure physical security, this represents significant risk for unauthorized access to badge databases, door controllers, and security event logs. The attack vector requires network access and user interaction, but no privileges, making it exploitable by remote attackers who can reach the system during installation. The confidentiality, integrity, and availability impacts are all rated HIGH, indicating complete system compromise is possible. Johnson Controls has released version 2.90 to address this issue. Organizations should prioritize patching, particularly for internet-exposed or broadly network-accessible installations.
- Vendor
- Johnson Controls Inc.
- Product
- Software House C●CURE 9000
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2024-07-09
- Advisory published
- 2024-07-09
- Advisory updated
- 2024-07-09
Who should care
Organizations operating Johnson Controls Software House C●CURE 9000 physical access control systems, particularly security teams managing critical infrastructure, facilities with high-security requirements, and OT/ICS security practitioners responsible for building automation systems. System integrators and installers deploying C●CURE 9000 should also prioritize this patch to prevent introducing vulnerable configurations.
Technical summary
The Software House C●CURE 9000 installer component uses weak credentials under certain conditions during installation. This vulnerability (CVSS 8.8) affects versions ≤2.80 and allows network-based attackers to compromise confidentiality, integrity, and availability of the physical access control system. The attack requires no privileges but does require user interaction, typically during the installation process. Successful exploitation grants attackers administrative access to badge management, door control, and security monitoring functions. The vendor has released version 2.90 as a security fix.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Software House C●CURE 9000 to version 2.90 or later to eliminate the weak credential vulnerability in the installer
- Review all C●CURE 9000 deployments for versions 2.80 and earlier, prioritizing systems with network exposure
- Consult Johnson Controls Product Security Advisory JCI-PSA-2024-12 v1 for detailed mitigation guidance
- Implement network segmentation to limit installer exposure during deployment and maintenance windows
- Audit credential configurations on existing installations to detect any residual weak credentials from previous installations
- Apply CISA ICS recommended practices for building automation system security hardening
Evidence notes
CISA ICS Advisory ICSA-24-191-04 published 2024-07-09 identifies weak credential usage in the C●CURE 9000 installer. Affected versions confirmed as 2.80 and earlier. Vendor fix available in version 2.90. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H per source.
Official resources
-
CVE-2024-32759 CVE record
CVE.org
-
CVE-2024-32759 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-09