PatchSiren cyber security CVE debrief
CVE-2024-32861 Johnson Controls Inc. CVE debrief
A local privilege escalation vulnerability exists in Johnson Controls Inc. Software House C●CURE 9000 Site Server versions 2.80 and earlier. The Site Server provides insufficient protection of directories containing executables, specifically the C:CouchDBbin path, allowing non-administrator accounts with local access to potentially modify or replace executable files. This weakness enables authenticated local attackers to escalate privileges and achieve high-impact confidentiality, integrity, and availability compromises without user interaction. The vulnerability was initially disclosed on July 9, 2024, and subsequently updated in January 2025 (Update A) to revise affected products and mitigations, and again in July 2025 (Update B) to update affected product versions. CISA assigned this issue a CVSS 3.1 score of 7.8 (HIGH severity) based on local attack vector, low attack complexity, and low privileges required. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Johnson Controls Inc.
- Product
- Software House C●CURE 9000 Site Server
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2025-07-17
- Advisory published
- 2024-07-09
- Advisory updated
- 2025-07-17
Who should care
Organizations operating Johnson Controls C●CURE 9000 physical access control systems, particularly security operations centers, facility management teams, and critical infrastructure operators relying on Site Server deployments for building automation and access management.
Technical summary
The Software House C●CURE 9000 Site Server fails to adequately protect executable directories, specifically C:CouchDBbin, permitting authenticated local users with low privileges to modify or replace executables. This insufficient access control enables privilege escalation attacks with high impact across confidentiality, integrity, and availability dimensions. The attack requires local access and low complexity exploitation without user interaction.
Defensive priority
HIGH
Recommended defensive actions
- Restrict file system permissions on the C●CURE 9000 Site Server by removing Full Control and Write permissions from non-administrator accounts on the C:CouchDBbin directory
- Limit non-administrator account permissions to Read & Execute only on affected paths
- Apply vendor security updates as specified in Johnson Controls Product Security Advisory JCI-PSA-2024-11 v3
- Implement defense-in-depth strategies for building automation systems per CISA ICS recommended practices
- Monitor for unauthorized file modifications in executable directories on affected Site Server installations
Evidence notes
Vulnerability description and affected product versions derived from CISA CSAF advisory ICSA-24-191-05. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirmed by source. Remediation guidance specifies permission restrictions on C:CouchDBbin directory. Timeline reflects initial publication (2024-07-09), Update A (2025-01-16), and Update B (2025-07-17) per revision history.
Official resources
-
CVE-2024-32861 CVE record
CVE.org
-
CVE-2024-32861 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-09