CVE-2024-45861 Kastle Systems CVE debrief

Who should care

Organizations using Kastle Systems Access Control System firmware, particularly security teams managing physical access control infrastructure and OT/ICS security practitioners responsible for cloud-hosted security systems.

Technical summary

The Kastle Systems Access Control System firmware contained hard-coded credentials in versions prior to May 1, 2024. These credentials could be accessed by attackers to obtain sensitive information. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges required, no user interaction, changed scope, and high confidentiality impact. The vendor has implemented internal fixes without requiring customer action.

Defensive priority

HIGH

Recommended defensive actions

• Verify with Kastle Systems that your deployment has received the internal configuration fix applied to firmware versions from May 1, 2024 onward
• Review access logs for unauthorized credential use or anomalous data access patterns in affected systems
• Coordinate with Kastle Systems to confirm cloud-hosted infrastructure security controls are in place
• Apply CISA ICS recommended practices for industrial control systems where applicable to your environment

Evidence notes

The vulnerability stems from hard-coded credentials embedded in Kastle Systems firmware. CISA notes this is a cloud-based solution hosted by the vendor, which may limit applicability of traditional on-premises mitigation strategies.

Official resources