The attacks infiltrate enterprise networks through browsers, and show an evolution in evasive and adaptive tactics from well-resourced state-sponsored actors.

In this guidance, CISA outlines how modern cybersecurity relies on network visibility to defend against threats and o scams.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Yokogawa
• Equipment: FAST/TOOLS and CI Server
• Vulnerabilities: Cross-site Scripting, Empty Password in Configuration File

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to launch a malicious script and take control of affected products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Yokogawa FAST/TOOLS and CI Server, SCADA software environments, are affected:

• FAST/TOOLS RVSVRN Package: Versions R9.01 through R10.04
• FAST/TOOLS UNSVRN Package: Versions R9.01 through R10.04
• FAST/TOOLS HMIWEB Package: Versions R9.01 through R10.04
• FAST/TOOLS FTEES Package: Versions R9.01 through R10.04
• FAST/TOOLS HMIMOB Package: Versions R9.01 through R10.04
• CI Server: Versions R1.01.00 through R1.03.00

3.2 Vulnerability Overview

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

The affected product’s WEB HMI server’s function to process HTTP requests has a security flaw (reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.

CVE-2024-4105 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-4105. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Empty Password in Configuration File CWE-258

The affected products have built-in accounts with no passwords set. Therefore, if the product is operated without a password set by default, an attacker can break into the affected product.

CVE-2024-4106 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

A CVSS v4 score has also been calculated for CVE-2024-4106. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Food and Agriculture
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Yokogawa reported these vulnerabilities to CISA.

4. MITIGATIONS

Yokogawa recommends customers using FAST/TOOLS to update to R10.04 and first apply patch software R10.04 SP3 and afterwards apply patch software I12560.

Yokogawa recommends customers using Collaborative Information Server (CI Server) to update to R1.03.00 and apply patch software R10.04 SP3.

For both platforms, if the password for the default account has not been changed, please change that password according to the documentation included with the patch software.

Yokogawa strongly recommends all customers to establish and maintain a full security program, not only for the vulnerability identified in this YSAR. Security program components are: Patch updates, Anti-virus, Backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.

For questions related to this report, please contact Yokogawa.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 27, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 6.8
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Johnson Controls, Inc.
• Equipment: Illustra Essentials Gen 4
• Vulnerability: Insertion of Sensitive Information into Log File

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to gain access to Linux user credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Illustra Essential Gen 4 IP cameras are affected:

• Illustra Essential Gen 4: version Illustra.Ess4.01.02.10.5982 and prior

3.2 Vulnerability Overview

3.2.1 Insertion of Sensitive Information into Log File CWE-532

Under certain circumstances, unnecessary user details are provided within system logs

CVE-2024-32757 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Sam Hanson of Dragos reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends users upgrade cameras to Illustra.Ess4.01.02.13.6953. For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-10 v1

Johnson Controls recommends taking steps to minimize risks to all building automation systems. Further ICS security notices and product security guidance are located at the Johnson Controls product security website

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 27, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
• Vendor: marKoni
• Equipment: Markoni-D (Compact) FM Transmitters, Markoni-DH (Exciter+Amplifiers) FM Transmitters
• Vulnerabilities: Command Injection, Use of Hard-coded Credentials, Use of Client-Side Authentication, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to tamper with the product to bypass authentication or perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of TELSAT marKoni FM Transmitters are affected:

• Markoni-D (Compact) FM Transmitters: All versions prior to 2.0.1
• Markoni-DH (Exciter+Amplifiers) FM Transmitters: All versions prior to 2.0.1

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

TELSAT marKoni FM Transmitters are vulnerable to a command injection vulnerability through the manipulation of settings and could allow an attacker to gain unauthorized access to the system with administrative privileges.

CVE-2024-39373 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39373. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

TELSAT marKoni FM Transmitters are vulnerable to an attacker exploiting a hidden admin account that can be accessed through the use of hard-coded credentials.

CVE-2024-39374 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39374. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 USE OF CLIENT-SIDE AUTHENTICATION CWE-603

TELSAT marKoni FM Transmitters are vulnerable to an attacker bypassing authentication and gaining administrator privileges.

CVE-2024-39375 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39375. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER ACCESS CONTROL CWE-284

TELSAT marKoni FM Transmitters are vulnerable to users gaining unauthorized access to sensitive information or performing actions beyond their designated permissions.

CVE-2024-39376 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39376. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to marKoni.

4. MITIGATIONS

Markoni has released the following version to remediate these vulnerabilities:

TELSAT marKoni FM Transmitter: Version 2.0.1.

For more information, contact Markoni.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 27, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Johnson Controls
• Equipment: Illustra Essentials Gen 4
• Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to inject commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Illustra Essentials Gen 4 IP camera are affected:

• Illustra Essentials Gen 4: all versions up to Illustra.Ess4.01.02.10.5982

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

Under certain circumstances the web interface will accept characters unrelated to the expected input.

CVE-2024-32755 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Sam Hanson of Dragos reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends that users upgrade cameras to Illustra.Ess4.01.02.13.6953

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-09 v1

Johnson Controls recommends taking steps to minimize risks to all building automation systems. Further ICS security notices and product security guidance are located at the Johnson Controls product security website

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 27, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 6.8
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Johnson Controls, Inc.
• Equipment: Illustra Essentials Gen 4
• Vulnerability: Storing Passwords in a Recoverable Format

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow web interface user’s credentials to be recovered by an authenticated user.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Illustra Essentials IP cameras are affected:

• Illustra Essential Gen 4: versions Illustra.Ess4.01.02.10.5982 and prior

3.2 Vulnerability Overview

3.2.1 Storing Passwords in a Recoverable Format CWE-257

Under certain circumstances, the web interface users credentials may be recovered by an authenticated user.

CVE-2024-32932 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Sam Hanson of Dragos reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends that users upgrade cameras to Illustra.Ess4.01.02.13.6953.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-08 v1 at the following location: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Johnson Controls recommends taking steps to minimize risks to all building automation systems. Further ICS security notices and product security guidance are located at Johnson Controls product security website: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 27, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: SDG Technologies
• Equipment: PnPSCADA
• Vulnerability: Missing Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SDG Technologies PnPSCADA, a web-based SCADA HMI, are affected:

• PnPSCADA: Versions prior to 4

3.2 Vulnerability Overview

3.2.1 MISSING AUTHORIZATION CWE-862

SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.

CVE-2024-2882 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-2882 has been assigned to this vulnerability. A CVSS v4 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: South Africa

3.4 RESEARCHER

Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA.

4. MITIGATIONS

SDG Technologies recommends that users use the updated PnPSCADA 4.

For more information about PnPSCADA 4 contact SDG Technologies.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 27, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 6.8
• ATTENTION: Exploitable remotely
• Vendor: Johnson Controls, Inc.
• Equipment: Illustra Essentials Gen 4
• Vulnerability: Storing Passwords in a Recoverable Format

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated user to recover credentials for other Linux users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Illustra Essential Gen 4, an IP camera, are affected:

• Illustra Essentials Gen 4: versions up to Illustra.Ess4.01.02.10.5982

3.2 Vulnerability Overview

3.2.1 Storing Passwords in a Recoverable Format CWE-257

Under certain circumstances the Linux users credentials may be recovered by an authenticated user.

CVE-2024-32756 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Sam Hanson of Dragos reported this vulnerability to Johnson Controls.

4. MITIGATIONS

Johnson Controls recommends users upgrade camera to Illustra.Ess4.01.02.13.6953
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-07 v1.

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA provides a section for control systems security recommended practices on the ICS web page on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Further ICS security notices and product security guidance are located at Johnson Controls’ product security website

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• June 27, 2024: Initial Publication