← Back to home
ICSA-20-282-01  ·  Published 2021-01-05  ·  View on CISA ICS-CERT ↗

Johnson Controls Sensormatic Electronics American Dynamics victor Web Client and Software House C•CURE Web Client (Update A)

CVSS 7.1 HIGH

Risk Summary

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to delete arbitrary files on the system or render the system unusable through a denial-of-service attack.

CVEs (1)

Remediations

  • Johnson Controls recommends users upgrade all versions of victor Web Client to v5.6. Registered users can download the update.
  • C•CURE Web v2.60 and earlier -- upgrade to a minimum of v2.70
  • C•CURE Web v2.70 - install the update WebClient_c2.70_5.2_Update02
  • C•CURE Web v2.80 - install the update WebClient_c2.80_v5.4.1_Update04
  • Registered users can obtain the software update by downloading the update.
  • For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2020-09
  • Further ICS security notices and product security guidance are located at the Johnson Controls product security website.

Affected Vendors

Sensormatic Electronics, LLC, Johnson Controls Inc.

Affected Products (2)

Sensormatic Electronics, LLC, Johnson Controls Inc. · Software House C•CURE Web Client <= 2.80
Sensormatic Electronics, LLC, Johnson Controls Inc. · American Dynamics victor Web Client <= 5.4.1

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more