CVE-2024-32865 Johnson Controls, Inc. CVE debrief

Who should care

Organizations operating Johnson Controls exacqVision Server for video surveillance and physical security management, particularly in industrial and enterprise environments where network segmentation may be limited.

Technical summary

The exacqVision Server fails to properly validate TLS certificates from connected devices under specific conditions. This certificate validation bypass could enable man-in-the-middle attacks where an attacker with adjacent network access and ability to overcome high attack complexity requirements could impersonate legitimate devices. The vulnerability affects confidentiality and integrity but not availability. Attack requires no privileges but does require user interaction.

Defensive priority

medium

Recommended defensive actions

• Upgrade exacqVision Client and exacqVision Server to version 24.06 or later
• Review Johnson Controls Product Security Advisory JCI-PSA-2024-18 for detailed mitigation instructions
• Implement network segmentation to limit exposure of exacqVision Server to untrusted adjacent networks
• Monitor for anomalous device connections or certificate anomalies in exacqVision environments
• Apply defense-in-depth practices per CISA ICS recommended practices for industrial control systems

Evidence notes

CISA published advisory ICSA-24-214-05 on August 1, 2024, identifying this vulnerability in exacqVision Server versions 24.03 and earlier. The CVSS vector AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N reflects the adjacent network requirement and high attack complexity.

Official resources