#VU56219 Use of Unmaintained Third Party Components in KT-1


Published: 2021-09-01

Vulnerability identifier: #VU56219

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-1104

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
KT-1
Hardware solutions / Other hardware appliances

Vendor: Johnson Controls

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected product relies on Microsoft Windows CE 6.0 that is no longer supported.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

KT-1: 2.09.02

External links
http://ics-cert.us-cert.gov/advisories/icsa-21-243-01
http://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2021/psa_jci-psa-2021-12_kt-1.pdf?la=en&hash=1E765BBFC7C99A789451AE06EF2ED36FCDF71907

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Use of Unmaintained Third Party Components in Sensormatic Electronics KT-1