MidnightBSD

Advisories for johnsoncontrols

CVE-2012-2607 HIGH

The Johnson Controls CK721-A controller with firmware before SSM4388_03.1.0.14_BB allows remote attackers to perform arbitrary actions via crafted packets to TCP port 41014 (aka the download port).

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
johnsoncontrols network_controller_firmware 03.0
johnsoncontrols network_controller ck721-a
johnsoncontrols network_controller_firmware *
CVE-2012-4026 MEDIUM

The Johnson Controls Pegasys P2000 server with software before 3.11 allows remote attackers to trigger false alerts via crafted packets to TCP port 41013 (aka the upload port), a different vulnerability than CVE-2012-2607.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
johnsoncontrols pegasys_p2000_server -
johnsoncontrols pegasys_p2000_server_software *
CVE-2014-5427 MEDIUM

Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read password hashes via a POST request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
johnsoncontrols metsys 6.5
johnsoncontrols metsys 4.1
CVE-2014-5428 HIGH

Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to execute arbitrary code by uploading a shell script.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
johnsoncontrols metsys 6.5
johnsoncontrols metsys 4.1
CVE-2018-10624 LOW

In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information.

CVSS 2.0

Severity: LOW

Problem Type: CWE-209,CWE-388,

Products Affected

Vendor Product Version
johnsoncontrols metasys_system *
johnsoncontrols bcpro *
CVE-2019-7589 HIGH

A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server that could be executed at system level privileges. This affects Johnson Controls' Kantech EntraPass Corporate Edition versions 8.0 and prior; Kantech EntraPass Global Edition versions 8.0 and prior.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
productsecurity@jci.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
johnsoncontrols entrapass *
CVE-2019-7590 MEDIUM

ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-428,CWE-428,

Products Affected

Vendor Product Version
johnsoncontrols exacqvision_server 9.6
johnsoncontrols exacqvision_server 9.8
CVE-2019-7593 MEDIUM

Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-323,CWE-798,

Products Affected

Vendor Product Version
johnsoncontrols metasys_system *
CVE-2019-7594 MEDIUM

Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-321,CWE-798,

Products Affected

Vendor Product Version
johnsoncontrols metasys_system *
CVE-2020-9044 MEDIUM

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
johnsoncontrols nie59_firmware 9.0.6
johnsoncontrols ord-c100-13_uuklc_firmware 8.1
johnsoncontrols nae55_firmware 9.0.6
johnsoncontrols nie55_firmware 9.0.3
johnsoncontrols nae55_firmware 9.0.1
johnsoncontrols metasys_open_data_server *
johnsoncontrols nae85_firmware *
johnsoncontrols metasys_open_application_server 10.1
johnsoncontrols nie85_firmware *
johnsoncontrols nie55_firmware 9.0.2
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols nie55_firmware 9.0.1
johnsoncontrols nie59_firmware 9.0.2
johnsoncontrols ul_864_uukl_firmware 8.1
johnsoncontrols metasys_system_configuration_tool *
johnsoncontrols nae55_firmware 9.0.5
johnsoncontrols nae55_firmware 9.0.2
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols nie59_firmware 9.0.5
johnsoncontrols nie55_firmware 9.0.5
johnsoncontrols nie59_firmware 9.0.3
johnsoncontrols nae55_firmware 8.1
johnsoncontrols nae55_firmware 9.0.3
johnsoncontrols metasys_lonworks_control_server *
johnsoncontrols nie55_firmware 9.0.6
johnsoncontrols nie59_firmware 9.0.1
CVE-2020-9045 MEDIUM

During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-312,CWE-312,

Products Affected

Vendor Product Version
tyco victor_video_management_system 5.2
johnsoncontrols c-cure_9000_firmware 2.70
CVE-2020-9046 HIGH

A vulnerability in all versions of Kantech EntraPass Editions could potentially allow an authorized low-privileged user to gain full system-level privileges by replacing critical files with specifically crafted files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
productsecurity@jci.com 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,CWE-269,

Products Affected

Vendor Product Version
johnsoncontrols kantech_entrapass *
CVE-2020-9047 HIGH

A vulnerability exists that could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior. An attacker with administrative privileges could potentially download and run a malicious executable that could allow OS command injection on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L 1.0 5.3
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-347,CWE-347,

Products Affected

Vendor Product Version
johnsoncontrols exacqvision_enterprise_manager *
johnsoncontrols exacqvision_web_service *
CVE-2020-9048 HIGH

A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 7.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L 2.8 4.2
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 2.8 5.2

CVSS 2.0

Severity: HIGH

Problem Type: CWE-285,CWE-732,

Products Affected

Vendor Product Version
tyco c-cure_web_client *
johnsoncontrols victor_web_client *
CVE-2020-9049 MEDIUM

A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 1.6 3.6
productsecurity@jci.com 7.1 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L 1.6 5.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,CWE-287,

Products Affected

Vendor Product Version
johnsoncontrols victor_web *
johnsoncontrols c-cure_web *
CVE-2020-9050 MEDIUM

Path Traversal vulnerability exists in Metasys Reporting Engine (MRE) Web Services which could allow a remote unauthenticated attacker to access and download arbitrary files from the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
productsecurity@jci.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
johnsoncontrols metasys_reporting_engine 2.1
johnsoncontrols metasys_reporting_engine 2.0
CVE-2021-27656 MEDIUM

A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
productsecurity@jci.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,

Products Affected

Vendor Product Version
johnsoncontrols exacqvision_web_service *
CVE-2021-27657 MEDIUM

Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
johnsoncontrols metasys *
CVE-2021-27658 LOW

exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
productsecurity@jci.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
johnsoncontrols exacqvision_enterprise_manager *
CVE-2021-27659 MEDIUM

exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
productsecurity@jci.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
johnsoncontrols exacqvision_web_service *
CVE-2021-27660 MEDIUM

An insecure client auto update feature in C-CURE 9000 can allow remote execution of lower privileged Windows programs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
johnsoncontrols c-cure_9000_firmware *
CVE-2021-27661 MEDIUM

Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-863,

Products Affected

Vendor Product Version
johnsoncontrols f4-snc_firmware 11
CVE-2021-27662 MEDIUM

The KT-1 door controller is susceptible to replay or man-in-the-middle attacks where an attacker can record and replay TCP packets. This issue affects Johnson Controls KT-1 all versions up to and including 3.01

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L 3.9 4.7
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-294,CWE-294,

Products Affected

Vendor Product Version
johnsoncontrols kantech_kt-1_door_controller_firmware *
CVE-2021-27663 HIGH

A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
productsecurity@jci.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

CVSS 2.0

Severity: HIGH

Problem Type: CWE-285,NVD-CWE-Other,

Products Affected

Vendor Product Version
johnsoncontrols ac2000_firmware *
CVE-2021-27664 MEDIUM

Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
johnsoncontrols exacqvision_web_service *
CVE-2021-27665 MEDIUM

An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
johnsoncontrols exacqvision_server *
CVE-2021-36198 MEDIUM

Successful exploitation of this vulnerability could allow an unauthorized user to access sensitive data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
productsecurity@jci.com 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-668,

Products Affected

Vendor Product Version
johnsoncontrols kantech_entrapass *
CVE-2021-36199 MEDIUM

Running a vulnerability scanner against VideoEdge NVRs can cause some functionality to stop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-228,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
johnsoncontrols videoedge *
CVE-2021-36200

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols metasys_open_application_server *
CVE-2021-36201

Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions.

Products Affected

Vendor Product Version
johnsoncontrols c-cure_9000_firmware *
CVE-2021-36202 MEDIUM

Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 8.4 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L 1.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,CWE-918,

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols metasys_open_application_server *
CVE-2021-36203 MEDIUM

The affected product may allow an attacker to identify and forge requests to internal systems by way of a specially crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,CWE-918,

Products Affected

Vendor Product Version
johnsoncontrols metasys_system_configuration_tool *
CVE-2021-36204

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols metasys_open_application_server *
CVE-2021-36205 MEDIUM

Under certain circumstances the session token is not cleared on logout.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
productsecurity@jci.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-459,CWE-459,

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols metasys_open_application_server *
CVE-2021-36206

All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N 3.9 5.8
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
johnsoncontrols cevas *
CVE-2021-36207 HIGH

Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
productsecurity@jci.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols metasys_open_application_server *
CVE-2022-21934 MEDIUM

Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-620,CWE-287,

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols metasys_open_application_server *
CVE-2022-21935 MEDIUM

A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-620,CWE-287,

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server 11.0.1
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols metasys_application_and_data_server 11.0.1
johnsoncontrols metasys_extended_application_and_data_server 11.0
johnsoncontrols metasys_open_application_server 11.0
johnsoncontrols metasys_application_and_data_server 11.0
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols metasys_open_application_server *
johnsoncontrols metasys_open_application_server 11.0.1
CVE-2022-21936

On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6
productsecurity@jci.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 2.8 5.2

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server 12.0
CVE-2022-21937 LOW

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
productsecurity@jci.com 8.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N 2.3 5.8

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server 11.0.1
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols metasys_application_and_data_server 11.0.1
johnsoncontrols metasys_extended_application_and_data_server 11.0
johnsoncontrols metasys_open_application_server 11.0
johnsoncontrols metasys_application_and_data_server 11.0
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols metasys_open_application_server *
johnsoncontrols metasys_open_application_server 11.0.1
CVE-2022-21938 LOW

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
productsecurity@jci.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N 1.7 5.8

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
johnsoncontrols metasys_extended_application_and_data_server 11.0.1
johnsoncontrols metasys_extended_application_and_data_server *
johnsoncontrols metasys_application_and_data_server 11.0.1
johnsoncontrols metasys_extended_application_and_data_server 11.0
johnsoncontrols metasys_open_application_server 11.0
johnsoncontrols metasys_application_and_data_server 11.0
johnsoncontrols metasys_application_and_data_server *
johnsoncontrols metasys_open_application_server *
johnsoncontrols metasys_open_application_server 11.0.1
CVE-2022-21939

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
johnsoncontrols metasys_system_configuration_tool *
CVE-2022-21940

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
productsecurity@jci.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
johnsoncontrols metasys_system_configuration_tool *
CVE-2022-21941

All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
johnsoncontrols istar_ultra_firmware *
CVE-2022-26643 MEDIUM

An issue in EasyIO CPT Graphics v0.8 allows attackers to discover valid users in the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
johnsoncontrols easyio_cpt_graphics 0.8
CVE-2023-0248

An attacker with physical access to the Kantech Gen1 ioSmart card reader with firmware version prior to 1.07.02 in certain circumstances can recover the reader's communication memory between the card and reader.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L 1.6 5.3
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

Products Affected

Vendor Product Version
johnsoncontrols iosmart_gen_1_firmware *
CVE-2023-0954

A debug feature in Sensormatic Electronics Illustra Pro Gen 4 Dome and PTZ cameras allows a user to compromise credentials after a long period of sustained attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 8.3 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 1.6 6.0

Products Affected

Vendor Product Version
johnsoncontrols illustra_pro_gen_4_dome_firmware *
johnsoncontrols illustra_pro_gen_4_ptz_firmware *
CVE-2023-2024

Improper authentication in OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 allow access to an unauthorized user under certain circumstances.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N 3.9 5.8

Products Affected

Vendor Product Version
johnsoncontrols openblue_enterprise_manager_data_collector *
CVE-2023-2025

OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 may expose sensitive information to an unauthorized user under certain circumstances.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 3.1 1.4

Products Affected

Vendor Product Version
johnsoncontrols openblue_enterprise_manager_data_collector *
CVE-2023-3127

An unauthenticated user could log into iSTAR Ultra, iSTAR Ultra LT, iSTAR Ultra G2, and iSTAR Edge G2 with administrator rights.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L 1.6 5.3

Products Affected

Vendor Product Version
johnsoncontrols istar_ultra_firmware 6.9.2
johnsoncontrols edge_g2_firmware 6.9.2
johnsoncontrols istar_ultra_g2_firmware 6.9.2
johnsoncontrols istar_ultra_firmware *
johnsoncontrols istar_ultra_lt_firmware *
johnsoncontrols istar_ultra_lt_firmware 6.9.2
johnsoncontrols istar_ultra_g2_firmware *
johnsoncontrols edge_g2_firmware *
CVE-2023-3548

An unauthorized user could gain account access to IQ Wifi 6 versions prior to 2.0.2 by conducting a brute force authentication attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 3.9 3.7

Products Affected

Vendor Product Version
johnsoncontrols iq_wifi_6_firmware *
CVE-2023-3749

A local user could edit the VideoEdge configuration file and interfere with VideoEdge operation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 1.8 5.2

Products Affected

Vendor Product Version
johnsoncontrols videoedge *
CVE-2023-4486

Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
productsecurity@jci.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
johnsoncontrols snc25150-0_firmware *
johnsoncontrols sne10500_firmware *
johnsoncontrols sne110l0_firmware *
johnsoncontrols nae55_firmware *
johnsoncontrols sne11000_firmware *
johnsoncontrols f4-snc_firmware *
johnsoncontrols snc16120-04_firmware *
johnsoncontrols sne22000_firmware *
johnsoncontrols snc25150-04_firmware *
johnsoncontrols snc16120-0_firmware *
CVE-2023-4804

An unauthorized user could access debug features in Quantum HD Unity products that were accidentally exposed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
johnsoncontrols quantum_hd_unity_acuair_firmware *
johnsoncontrols quantum_hd_unity_condenser/vessel_firmware *
johnsoncontrols quantum_hd_unity_evaporator_firmware *
johnsoncontrols quantum_hd_unity_compressor_firmware *
johnsoncontrols quantum_hd_unity_engine_room_firmware *
johnsoncontrols quantum_hd_unity_interface_firmware *
CVE-2024-0242

Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@jci.com 7.3 HIGH CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H 0.9 5.8

Products Affected

Vendor Product Version
johnsoncontrols qolsys_iq_panel_4_firmware *
johnsoncontrols qolsys_iq4_hub_firmware *
CVE-2024-0912

Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C•CURE 9000 or prior versions

Products Affected

Vendor Product Version
johnsoncontrols software_house_c-cure_9000_siteserver 3.00.2
CVE-2026-21654

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.

Products Affected

Vendor Product Version
johnsoncontrols frick_controls_quantum_hd_firmware *
CVE-2026-21656

Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.

Products Affected

Vendor Product Version
johnsoncontrols frick_controls_quantum_hd_firmware *
CVE-2026-21657

Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.

Products Affected

Vendor Product Version
johnsoncontrols frick_controls_quantum_hd_firmware *
CVE-2026-21658

Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior.

Products Affected

Vendor Product Version
johnsoncontrols frick_controls_quantum_hd_firmware *
CVE-2026-21659

Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise. This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
johnsoncontrols frick_controls_quantum_hd_firmware *
CVE-2026-21660

Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue affects Frick Controls Quantum HD version 10.22 and prior.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
johnsoncontrols frick_controls_quantum_hd_firmware *