PatchSiren cyber security CVE debrief
CVE-2024-32863 Johnson Controls, Inc. CVE debrief
A cross-site request forgery (CSRF) vulnerability in Johnson Controls exacqVision Web Service versions 24.03 and prior allows remote attackers to perform state-changing operations with administrative privileges. The vulnerability requires user interaction and high attack complexity, with network access and no privileges required. The CVSS 3.1 vector indicates high impact to confidentiality and integrity, though availability is not affected. CISA published this advisory on August 1, 2024, as ICSA-24-214-03.
- Vendor
- Johnson Controls, Inc.
- Product
- exacqVision Web Service
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-08-01
- Original CVE updated
- 2024-08-01
- Advisory published
- 2024-08-01
- Advisory updated
- 2024-08-01
Who should care
Organizations operating Johnson Controls exacqVision video management systems, particularly security operations centers, critical infrastructure facilities, and enterprises using exacqVision for physical security and surveillance. System administrators responsible for exacqVision Web Service deployments and security teams managing ICS/OT environments should prioritize assessment and patching.
Technical summary
The vulnerability exists in the web service component of Johnson Controls exacqVision video management system. Affected versions through 24.03 fail to properly validate or enforce anti-CSRF tokens on state-changing requests, allowing an attacker to craft malicious requests that execute with the privileges of an authenticated administrative session. Successful exploitation requires the attacker to induce an authenticated administrator to interact with malicious content (e.g., visit a crafted webpage or click a malicious link). The attack complexity is rated high due to required user interaction, but the impact includes high confidentiality and integrity compromise through administrative privilege abuse. No availability impact is associated with this vulnerability.
Defensive priority
medium
Recommended defensive actions
- Update exacqVision Web Service to version 24.06 or later per vendor guidance
- Review Johnson Controls Product Security Advisory JCI-PSA-2024-16 for detailed mitigation instructions
- Implement network segmentation to limit exposure of exacqVision Web Service interfaces
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Monitor for anomalous administrative activity in exacqVision Web Service logs
Evidence notes
CISA CSAF advisory ICSA-24-214-03 published 2024-08-01 identifies affected product as exacqVision Web Service versions 24.03 and prior. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N confirms network attack vector with high complexity and required user interaction. Vendor fix available in version 24.06 per remediation guidance.
Official resources
-
CVE-2024-32863 CVE record
CVE.org
-
CVE-2024-32863 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-08-01