PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-32864 Johnson Controls, Inc. CVE debrief

Johnson Controls exacqVision Web Service versions 24.03 and prior fail to enforce HTTPS under certain conditions, allowing potential cleartext transmission of sensitive data. The vulnerability carries a CVSS 3.1 score of 6.4 (Medium) with an attack vector of adjacent network, high attack complexity, no privileges required, and user interaction required. Confidentiality and integrity impacts are rated high, with no availability impact. CISA published advisory ICSA-24-214-04 on August 1, 2024, coordinating disclosure. Johnson Controls has released version 24.06 as a vendor fix and published detailed mitigation guidance in Product Security Advisory JCI-PSA-2024-17. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Johnson Controls, Inc.
Product
exacqVision Web Service
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2024-08-01
Original CVE updated
2024-08-01
Advisory published
2024-08-01
Advisory updated
2024-08-01

Who should care

Organizations operating Johnson Controls exacqVision video management systems, particularly security operations centers and physical security teams managing IP camera deployments. Critical infrastructure operators in sectors using exacqVision for surveillance and access control should prioritize patching.

Technical summary

The exacqVision Web Service fails to enforce TLS encryption for web communications under specific conditions, potentially exposing session data and credentials to network eavesdropping. The attack requires adjacent network access and user interaction, with high complexity reducing exploitation likelihood. No availability impact is associated with this vulnerability.

Defensive priority

medium

Recommended defensive actions

  • Upgrade exacqVision Web Service to version 24.06 or later per vendor guidance
  • Review Johnson Controls Product Security Advisory JCI-PSA-2024-17 for detailed mitigation instructions
  • Verify HTTPS enforcement is active in deployed configurations
  • Monitor network traffic for unexpected cleartext HTTP communications
  • Apply network segmentation controls to limit exposure of web service interfaces

Evidence notes

CISA CSAF advisory ICSA-24-214-04 published 2024-08-01 confirms affected versions and remediation path. CVSS vector AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N sourced from official advisory. Vendor fix version 24.06 and JCI-PSA-2024-17 reference confirmed in CSAF remediations section.

Official resources

coordinated