Login Sign Up

CVE-2024-0242

7.3 HIGH
Authentication Bypass

📋 TL;DR

CVE-2024-0242 is an information exposure vulnerability in Johnson Controls IQ Panel4 and IQ4 Hub security panel software that could allow unauthorized access to system settings. This affects organizations using these security panels for physical access control and building management. The vulnerability occurs under certain unspecified circumstances in software versions prior to 4.4.2.

💻 Affected Systems

Products:
  • Johnson Controls IQ Panel4
  • Johnson Controls IQ4 Hub
Versions: Software versions prior to 4.4.2
Operating Systems: Embedded/Proprietary
Default Config Vulnerable: ⚠️ Yes
Notes: Specific circumstances required for exploitation are not detailed in public advisories.

📦 What is this software?

Qolsys Iq Panel 4 Firmware by Johnsoncontrols

View all CVEs affecting Qolsys Iq Panel 4 Firmware →

Qolsys Iq4 Hub Firmware by Johnsoncontrols

View all CVEs affecting Qolsys Iq4 Hub Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain unauthorized access to security panel settings, potentially disabling alarms, modifying access controls, or compromising the entire physical security system.

🟠

Likely Case

Unauthorized users could view sensitive configuration data, potentially enabling further attacks or reconnaissance of the security system.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to unauthorized viewing of configuration data without ability to modify settings.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific circumstances and likely some level of access to the system or network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.2

Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Restart Required: Yes

Instructions:

1. Contact Johnson Controls support or authorized dealer
2. Schedule maintenance window for panel update
3. Apply software update to version 4.4.2
4. Verify successful update and functionality

🔧 Temporary Workarounds

Network Segmentation

all

Isolate security panels on separate VLAN with strict access controls

Access Control Lists

all

Implement strict firewall rules limiting access to panel management interfaces

🧯 If You Can't Patch

  • Segment panels on isolated network with no internet access
  • Implement strict physical access controls to panel locations

🔍 How to Verify

Check if Vulnerable:

Check panel software version via local interface or management software

Check Version:

Check via panel local interface or Johnson Controls management software

Verify Fix Applied:

Confirm software version is 4.4.2 or later

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to panel management interfaces
  • Unexpected configuration changes

Network Indicators:

  • Unusual traffic patterns to/from security panel IP addresses
  • Unauthorized connection attempts to panel management ports

SIEM Query:

source_ip IN (panel_ips) AND (event_type='access_denied' OR event_type='configuration_change')

📊 Metadata

CVE ID: CVE-2024-0242
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
CWE: CWE-200
Published: February 8, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0242, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)