PatchSiren cyber security CVE debrief
CVE-2024-45862 Kastle Systems CVE debrief
Kastle Systems Access Control System firmware prior to May 1, 2024 stored machine credentials in cleartext, which may allow an attacker to access sensitive information. This vulnerability affects a cloud-based access control solution hosted by Kastle Systems. The vendor has internally fixed the system configuration vulnerabilities with no user interaction required. CISA notes that traditional mitigation strategies may not be applicable given the cloud-hosted nature of this solution.
- Vendor
- Kastle Systems
- Product
- Access Control System Firmware
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-19
- Original CVE updated
- 2024-09-19
- Advisory published
- 2024-09-19
- Advisory updated
- 2024-09-19
Who should care
Organizations using Kastle Systems Access Control System for physical security and building access management, particularly those with cloud-hosted deployments. Security teams responsible for OT/ICS environments, facilities management, and credential lifecycle management should assess exposure. Organizations subject to regulatory requirements for credential protection and access control audit logging should verify remediation status.
Technical summary
Kastle Systems Access Control System firmware versions prior to May 1, 2024 contain a cleartext credential storage vulnerability. Machine credentials were stored without encryption, potentially exposing sensitive authentication information to attackers. The vulnerability is rated CVSS 3.1 8.6 (HIGH) with network attack vector, low attack complexity, and high confidentiality impact. The affected product is a cloud-based access control solution, distinguishing it from traditional on-premises industrial control systems. Kastle Systems has implemented fixes internally to the cloud-hosted infrastructure; customers do not need to apply patches themselves. CISA's standard ICS mitigation guidance may not directly apply due to the cloud-hosted architecture.
Defensive priority
HIGH
Recommended defensive actions
- Confirm Kastle Systems Access Control System firmware is updated to May 1, 2024 or later
- Verify with Kastle Systems that the cloud-hosted environment has received the vendor's internal configuration fix
- Review access logs for unauthorized credential access or anomalous authentication patterns
- Assess whether additional access control systems rely on credentials managed by the affected Kastle Systems deployment
- Contact Kastle Systems support to confirm remediation status for your specific tenant environment
Evidence notes
CISA ICS Advisory ICSA-24-263-05 confirms Kastle Systems firmware prior to May 1, 2024 stored machine credentials in cleartext. The advisory states Kastle Systems has fixed the system configuration vulnerabilities internally with no user interaction required. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N indicates network attack vector with low complexity, no privileges required, no user interaction, scope change, and high confidentiality impact.
Official resources
-
CVE-2024-45862 CVE record
CVE.org
-
CVE-2024-45862 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-19