#VU57164 Improper Privilege Management in exacqVision Web Service - CVE-2021-27664

Cybersecurity Help s.r.o.

Published: 2021-10-08 | Updated: 2021-10-11

Vulnerability identifier: #VU57164

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-27664

CWE-ID: CWE-269

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
exacqVision Web Service
Web applications / Other software

Vendor: Johnson Controls

Description

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management. A local user can access to credentials stored in the exacqVision Server and gain elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

exacqVision Web Service: 21.06.11.0

External links
https://ics-cert.us-cert.gov/advisories/icsa-21-280-01
https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2021/jci-psa-2021-16.pdf?la=en&hash=46C02304209410715E488DF9B74EDCA45FFCB908
https://www.tenable.com/security/research/tra-2021-40

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Johnson Controls exacqVision Web Service