Johnson Controls, Inc. has an update available to handle a use of weak credentials vulnerability in its Software House C●CURE 9000, according to a report with CISA.

Successful exploitations of this remotely exploitable vulnerability, discovered by Reid Wightman of Dragos, could allow an attacker to gain administrative access.

The following Johnson Controls products suffer from the issue: Software House C●CURE 9000, version 2.80 and prior.

In the vulnerability, under certain circumstances the Software House C●CURE 9000 installer will utilize weak credentials.

CVE-2024-32759 is the case number for the vulnerability, which has a CVSS v3.1 base score of 8.8. There is also a CVSS v4 base score of 7.7.

Schneider Bold

The product sees use in the critical manufacturing, commercial facilities, government facilities, transportation systems, and energy sectors. It also sees action on a global basis.

No known exploit targets this vulnerability. However, an attacker could leverage this low complexity vulnerability.

Johnson Controls recommends the following:

  • Update Software House C●CURE 9000 to at least version 2.90
  • For more detailed mitigation instructions, click on Johnson Controls Product Security Advisory JCI-PSA-2024-12 v1 
  • Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

Pin It on Pinterest

Share This