CVE-2021-27664
📋 TL;DR
CVE-2021-27664 is a critical vulnerability in exacqVision Server where unauthenticated remote attackers can access stored credentials under certain configurations. This affects organizations using Johnson Controls exacqVision video management systems with vulnerable configurations. The vulnerability allows complete compromise of authentication credentials.
💻 Affected Systems
- Johnson Controls exacqVision Server
📦 What is this software?
Exacqvision Web Service by Johnsoncontrols
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to access all video feeds, modify recordings, disable security systems, and pivot to other network resources using stolen credentials.
Likely Case
Attackers gain access to video surveillance systems, potentially viewing sensitive footage, disabling cameras, or using credentials to access other systems.
If Mitigated
Limited impact with proper network segmentation and access controls preventing credential access even if vulnerability is exploited.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. Attackers can remotely access credentials without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.06.4 and later
Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Restart Required: Yes
Instructions:
1. Download exacqVision Server version 21.06.4 or later from Johnson Controls support portal. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the exacqVision Server service.
🔧 Temporary Workarounds
Network Segmentation
allIsolate exacqVision Server from untrusted networks and restrict access to authorized IP addresses only.
Firewall Rules
allImplement strict firewall rules to block external access to exacqVision Server ports (typically 80, 443, 8080).
🧯 If You Can't Patch
- Implement strict network access controls allowing only authorized management stations to communicate with exacqVision Server.
- Monitor network traffic for unusual access patterns to exacqVision Server and implement intrusion detection rules.
🔍 How to Verify
Check if Vulnerable:
Check exacqVision Server version in administration interface. Versions below 21.06.4 are vulnerable.Check Version:
Check via exacqVision web interface: System > About, or on Windows: Check installed programs list for exacqVision version.Verify Fix Applied:
Verify version is 21.06.4 or higher in administration interface and test that credential access via unauthenticated requests is blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to credential-related endpoints
- Multiple failed authentication attempts followed by successful credential access
Network Indicators:
- Unusual outbound connections from exacqVision Server
- Traffic patterns indicating credential extraction
SIEM Query:
source="exacqvision" AND (url="*credential*" OR url="*password*") AND status=200 AND auth_status="unauthenticated"