Johnson Controls has issued an ICS advisory for its Software House C●CURE 9000, highlighting a significant vulnerability. The advisory, released on July 9, 2024, details a weakness related to the use of weak credentials, assigned CVE-2024-32759. This vulnerability, rated 7.7 on the CVSS v4 scale, allows for remote exploitation with low attack complexity. It potentially grants attackers administrative access, impacting the confidentiality, integrity, and availability of the system.
The affected version of the Software House C●CURE 9000 is version 2.80 and earlier. The flaw lies in the system’s use of weak credentials, which can be exploited by attackers to gain unauthorized access. This could result in severe consequences such as unauthorized control and manipulation of the system, making it critical to address the vulnerability promptly.
Johnson Controls recommends updating the Software House C●CURE 9000 to version 2.90 or later to mitigate this risk. The company has issued a product security advisory (JCI-PSA-2024-12 v1) with detailed instructions for users. Additionally, CISA advises organizations to implement robust defensive measures, such as minimizing network exposure and employing secure remote access methods like updated VPNs.
The advisory also underscores the importance of following general cybersecurity best practices. CISA suggests performing impact analysis and risk assessments before deploying defensive measures. For more guidance on cybersecurity strategies and best practices, organizations can refer to CISA’s resources on their ICS webpage and technical papers for targeted intrusion detection and mitigation strategies.