Exacq Technologies, Inc., a subsidiary of Johnson Controls, has an update available to mitigate an unquoted search path or element vulnerability in its exacqVision Server, according to a report from NCCIC.
Successful exploitation of this vulnerability, discovered by Gjoko Kristic of Applied Risk, could allow an unauthenticated user to elevate their privileges.
This vulnerability impacts exacqVision server Versions 9.6 and 9.8.
In the vulnerability, some services have an unquoted service path. If an authenticated user is able to insert code in the system root path, that code can be executed during the application startup.
CVE-2019-7590 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.7.
The product sees use mainly in the critical manufacturing sector. It is also used on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. High skill level is needed to exploit.
Ireland-based Johnson Controls recommended the following:
• Users should upgrade to the latest product, Version 19.03
• Further ICS security notices and product security guidance are located at the Johnson Controls product security website.