Latest News

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 6.4 ATTENTION: Exploitable remotely Vendor: Johnson Controls, Inc. Equipment: exacqVision Web Service Vulnerability: Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform a man-in-the-middle attack and gain access to sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Johnson Controls exacqVision Web Service are affected: exacqVision Web Service: Versions 24.03 and prior 3.2 Vulnerability Overview 3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 Under certain circumstances, Johnson Controls exacqVision Web Service versions 24.03 and prior, will not enforce secure web communications (HTTPS). CVE-2024-32864 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTO...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation Vendor: AVTECH SECURITY Corporation Equipment: IP camera Vulnerability: Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to inject and execute commands as the owner of the running process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following AVTECH IP camera was identified as being affected; it is suspected that prior versions of other IP cameras and NVR (network video recorder) products are also affected: AVM1203: firmware version FullImg-1023-1007-1011-1009 and prior 3.2 Vulnerability Overview 3.2.1 COMMAND INJECTION CWE-77 Commands can be injected over the network and executed without authentication. CVE-2024-7029 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.6 ATTENTION: Exploitable remotely Vendor: Johnson Controls Inc. Equipment: exacqVision Web Service Vulnerability: Permissive Cross-domain Policy with Untrusted Domains 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to send an unauthorized request or access data from an untrusted domain. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Johnson Controls reports that the following versions of exacqVision Web Service are affected: exacqVision Web Service: 22.12.1.0 3.2 Vulnerability Overview 3.2.1 Permissive Cross-domain Policy with Untrusted Domains CWE-942 Under certain circumstances the exacqVision web service does not provide sufficient protection from untrusted domains. CVE-2024-32862 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2024-32862 . A base sc...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 6.4 ATTENTION: Exploitable remotely Vendor: Johnson Controls, Inc. Equipment: exacqVision Server Vulnerability: Improper Certificate Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform a man-in-the-middle attack and intercept communications. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Johnson Controls exacqVision Server are affected: exacqVision Server: Versions 24.03 and prior 3.2 Vulnerability Overview 3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295 Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices. CVE-2024-32865 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transpo...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Vonets Equipment: VAR1200-H, VAR1200-L, VAR600-H, VAP11AC, VAP11G-500S, VBG1200, VAP11S-5G, VAP11S, VAR11N-300, VAP11G-300, VAP11N-300, VAP11G, VAP11G-500, VBG1200, VAP11AC, VGA-1000 Vulnerabilities: Use of Hard-coded Credentials, Improper Access Control, Path Traversal, Command Injection, Improper Check or Handling of Exceptional Conditions, Stack Based Buffer Overflow, Direct Request 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, cause a denial-of-service condition, or execute arbitrary code on the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS At least the following Vonets products are affected: VAR1200-H: Versions 3.3.23.6.9 and prior VAR1200-L: Versions 3.3.23.6.9 and prior VAR600-H: Versions 3.3.23.6.9 and prior VAP11AC: Versions 3.3.23.6.9 and prior VAP11G-500S: Versions 3.3.23.6.9 a...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 6.8 ATTENTION: Exploitable remotely Vendor: Johnson Controls, Inc. Equipment: exacqVision Web Service Vulnerability: Cross-Site Request Forgery (CSRF) 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform state-changing operations with administrative privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Johnson Controls exacqVision Web Service are affected: exacqVision Web Service: Versions 24.03 and prior 3.2 Vulnerability Overview 3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 In Johnson Controls exacqVision Web Service versions 24.03 and prior, an attacker may be able to perform state-changing operations with administrative privileges. CVE-2024-32863 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturi...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Johnson Controls, Inc. Equipment: Web Service Vulnerability: Use of GET Request Method With Sensitive Query Strings 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Johnson Controls exacqVision Web Service are affected: exacqVision Web Service: Versions 24.03 and prior 3.2 Vulnerability Overview 3.2.1 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598 Under certain circumstances exacqVision Web Service versions 24.03 and prior can expose authentication token details within communications. CVE-2024-32931 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Comme...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules Vulnerability: Unprotected Alternate Channel 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute CIP programming and configuration commands. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules are affected: ControlLogix: Version V28 GuardLogix: Version V31 1756-EN4TR: Version V2 1756-EN2T, Series A/B/C (unsigned version): Version v5.007 1756-EN2F, Series A/B (unsigned version): Version v5.007 1756-EN2TR, Series A/B (unsigned version): Version v5.007 1756-EN3TR, Series B (unsigned version): Version v5.007 1756-EN2T, Series A/B/C (signed version): Version v5.027 1756-EN2F, Series A/B (signed version): Version v5.027 1756-EN2TR, Series A/B (signed version): Version v5.027 1...

How to detect and prevent attackers from using these various techniques Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it. What Is Obfuscation? Obfuscation is the technique of intentionally making information difficult to read, especially in

The RayV Lite will make it hundreds of times cheaper for anyone to carry out physics-bending feats of hardware hacking.