Researchers at cybersecurity firm Tenable have discovered critical and high-severity vulnerabilities in video surveillance systems made by Exacq Technologies, which is owned by building technology giant Johnson Controls.
Tenable’s Zero-Day Research Team discovered two security flaws in the exacqVision web service used by Exacq products. Advisories describing the vulnerabilities were published recently by Tenable, Johnson Controls [1,2], and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
According to Tenable, the affected web service is designed to allow users to fetch video and other data from exacqVision servers using a web browser. The web service acts as an intermediary between the web client and the server.
Tenable researchers discovered that if the exacqVision server is configured with a so-called passthrough account, which can be used to remotely connect to the server, an unauthenticated attacker can abuse it to access the server with the privileges of this passthrough account.