Johnson Controls has issued an advisory for its Illustra Pro Gen 4 camera, highlighting a significant security vulnerability linked to the use of an outdated third-party component. Specifically, the camera’s dependency on JQuery versions prior to 3.5.0 has been identified as a risk, with a CVSS v4 base score of 7.0 indicating that the vulnerability is both remotely exploitable and capable of impacting the confidentiality and integrity of the device. The affected firmware versions are those prior to SS016.05.03.01.0010.
The vulnerability arises from improper management of the outdated JQuery component, which could be exploited to compromise the camera’s functionality and data integrity. Successful exploitation may allow attackers to manipulate or disclose sensitive information, or cause other disruptions to the device’s operations. Johnson Controls has advised users to upgrade their firmware to version SS016.24.03.00.0007, which addresses this issue and mitigates the associated risks.
In addition to the firmware update, Johnson Controls has provided detailed guidance in their Product Security Advisory JCI-PSA-2024-05 v1 for further mitigation. The company also recommends aligning with CISA’s defensive strategies, including performing proper impact analysis and risk assessment before implementing any defensive measures. CISA’s webpage offers additional best practices for securing control systems and managing cyber threats.
Organizations should remain vigilant and adhere to recommended security practices, including avoiding unnecessary exposure of control systems to the internet and using robust firewalls and VPNs for remote access. While no specific exploitation of this vulnerability has been publicly reported, following these recommendations can help prevent potential attacks and ensure the security of ICS assets.