Johnson Controls created an upgrade to fix an improper authorization vulnerability in its exacqVision Enterprise System Manager (ESM), according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by @bzyo_, could allow malicious code execution.
This vulnerability impacts exacqVision ESM v5.12.2 and prior. All Microsoft Windows operating systems are affected with the exception of Microsoft Windows Server.
In the vulnerability, by default, excessive permissions to directories are granted to authorized, low-privilege system accounts. This could end up leveraged by an attacker to make application file changes or to enable privilege escalation attacks.
CVE-2019-7588 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.7.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. High skill level is needed to exploit.
Ireland-based Johnson Controls recommends the following:
• Users should upgrade to the latest product, Version 19.03
• Further ICS security notices and product security guidance are located at the Johnson Controls product security website.