Active Debug Code in Johnson Controls products - CVE-2023-4804

 

Active Debug Code in Johnson Controls products - CVE-2023-4804

Published: November 10, 2023


Vulnerability identifier: #VU82962
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-4804
CWE-ID: CWE-489
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Johnson Controls
Affected software:
Quantum HD Unity Compressor control panels (Q5)
Quantum HD Unity Compressor control panels (Q6)
Quantum HD Unity AcuAir control panels(Q5)
Quantum HD Unity AcuAir control panels(Q6)
Quantum HD Unity Condenser/Vessel control panels (Q5)
Quantum HD Unity Condenser/Vessel control panels (Q6)
Quantum HD Unity Evaporator control panels (Q5)
Quantum HD Unity Evaporator control panels (Q6)
Quantum HD Unity Engine Room control panels (Q5)
Quantum HD Unity Engine Room control panels (Q6)
Quantum HD Unity Interface control panels (Q5)
Quantum HD Unity Interface control panels (Q6)

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the active debug code issue. A remote attacker can access debug features that were accidentally exposed.


How to mitigate CVE-2023-4804

Install updates from vendor's website.

Sources