Improper Authorization in CEM Systems AC2000

#VU56123 Improper Authorization in CEM Systems AC2000

Published: 2021-08-27

Vulnerability identifier: #VU56123

Vulnerability risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-27663

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CEM Systems AC2000
Server applications / Other server solutions

Vendor: Johnson Controls

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to the application does not perform an adequate authorization check for functionality that requires a provable user identity. A remote attacker can bypass authorization checks on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

CEM Systems AC2000: 10.1 - 10.5

External links
http://ics-cert.us-cert.gov/advisories/icsa-21-238-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Authorization in Johnson Controls CEM Systems AC2000