CVE-2024-32862 Johnson Controls Inc. CVE debrief

Who should care

Organizations operating Johnson Controls exacqVision video management systems, particularly security operations centers and physical security teams managing IP camera deployments. Critical infrastructure operators in sectors using exacqVision for surveillance and access control should prioritize patching due to potential integrity and confidentiality impacts on security footage and system configuration.

Technical summary

The exacqVision Web Service 22.12.1.0 fails to adequately restrict or validate interactions from untrusted domains, creating conditions for cross-origin attacks. The attack requires network access and user interaction, with high complexity reducing but not eliminating exploitation risk. Successful exploitation could compromise confidentiality and integrity of the web service. The fix in version 24.06 addresses the insufficient domain protection.

Defensive priority

medium

Recommended defensive actions

• Update exacqVision Web Service to version 24.06 or later per vendor guidance
• Review Johnson Controls Product Security Advisory JCI-PSA-2024-15 for detailed mitigation instructions
• Implement network segmentation to limit exposure of exacqVision Web Service to untrusted domains
• Apply CISA ICS recommended practices for defense-in-depth security controls
• Monitor for anomalous cross-origin requests to exacqVision Web Service endpoints

Evidence notes

Vulnerability description and remediation details sourced from CISA CSAF advisory ICSA-24-214-02. Affected product version 22.12.1.0 confirmed through CSAF product tree. Vendor fix version 24.06 and mitigation reference JCI-PSA-2024-15 documented in CSAF remediations section. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N provided in source references.

Official resources