Sensormatic Electronics C-CURE 9000 (Update A)

Risk Summary

Successful exploitation of this vulnerability could allow remote execution of lower privileged Windows programs.

CVEs (1)

Remediations

• Johnson Controls recommends users upgrade to Version 2.80 or later. Johnson Controls recommends uninstalling the C-CURE 9000 Auto Update feature if is not in use.
• Versions prior to 2.60
• Versions prior to 2.60 should first be upgraded to 2.60 Service Pack 2 CU07 or later.
• Versions 2.60 & 2.70
• Apply 2.60 Service Pack 2 CU07 or later or 2.70 Service Pack 2 CU01 or later, respectively.
• On a machine with the C-CURE 9000 server installed, the service pack will automatically remove the auto update client.
• On remote client machines, when running the service pack and if the Auto Update service is installed, a prompt will ask users if they want to remove the service.
• If users run the service pack in silent mode, they should run it with the optional parameter “/REMOVEAUTOUPDATE” to remove the auto update client.
• Version 2.80 & 2.90
• Starting in C-CURE 9000 Version 2.80, the client Auto Update feature is a separate install.
• From Windows Programs and Features on the application server, select C-CURE 9000 Automated Update, right-click, then select Uninstall.
• From Windows Programs and Features, wherever the C-CURE 9000 clients (Monitoring Station, Administration Workstation) are installed (and the Auto Update service), select CCURE9000ClientAutoupdate, right-click, then select Uninstall.
• For access to more specific product update and vulnerability mitigation information, please see Johnson Controls Product Security Advisory JCI-PSA-2021-10 v2 or contact a Johnson Controls Technical Support Team representative.

Affected Vendors

Affected Products (1)

Affected Sectors

Critical Manufacturing