Your one-stop web resource providing safety and security information to manufacturers

Exacq Technologies, Inc., a subsidiary of Johnson Controls, has an update available to mitigate an unquoted search path or element vulnerability in its exacqVision Server, according to a report from NCCIC.

Successful exploitation of this vulnerability, discovered by Gjoko Kristic of Applied Risk, could allow an unauthenticated user to elevate their privileges.

RELATED STORIES
Schneider Fixes Floating License Manager
Schneider has Fix for IGSS Vulnerability
AVEVA Handles Floating License Manager Issue
Delta Mitigation Plan for CNCSoft ScreenEditor

This vulnerability impacts exacqVision server Versions 9.6 and 9.8.

In the vulnerability, some services have an unquoted service path. If an authenticated user is able to insert code in the system root path, that code can be executed during the application startup.

Schneider Bold

CVE-2019-7590 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.7.

The product sees use mainly in the critical manufacturing sector. It is also used on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. High skill level is needed to exploit.

Ireland-based Johnson Controls recommended the following:
• Users should upgrade to the latest product, Version 19.03
• Further ICS security notices and product security guidance are located at the Johnson Controls product security website.

For questions concerning this product, contact Johnson Controls Global Product Security or send an email.

Pin It on Pinterest

Share This