Platform
other
Component
exacqvision-web-service
CVE-2021-27664 is a critical vulnerability affecting the exacqVision Web Service, specifically versions 21.06.11.0 through 21.06.11.0. This flaw allows an unauthenticated remote user to gain access to credentials stored within the exacqVision server. The potential impact is significant, enabling unauthorized access and control of the surveillance system. A patch is available to address this vulnerability.
The core of this vulnerability lies in the improper handling of credentials within the exacqVision Web Service. An attacker, without requiring any authentication, can exploit this flaw to retrieve sensitive information, including usernames and passwords used by the system or its users. This stolen data can then be leveraged to gain unauthorized access to the exacqVision system itself, potentially allowing the attacker to view live camera feeds, access recorded video, and even modify system configurations. The blast radius extends beyond the immediate surveillance system; compromised credentials could be used for lateral movement within the network, impacting other connected systems and data. This vulnerability shares similarities with other credential leakage issues where weak access controls expose sensitive data to external threats.
CVE-2021-27664 was publicly disclosed on October 11, 2021. While no active exploitation campaigns have been definitively confirmed, the critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and severity.
Exploit Status
EPSS
0.27% (50% percentile)
CVSS Vector
The primary mitigation strategy is to immediately upgrade to a patched version of exacqVision Web Service as soon as it becomes available. Until the upgrade can be performed, several temporary workarounds can be implemented to reduce the risk. First, restrict network access to the exacqVision server, limiting exposure to external networks. Implement strong firewall rules to only allow necessary traffic. Review and audit stored credentials within the system, ensuring they adhere to strong password policies and are regularly rotated. Consider implementing multi-factor authentication (MFA) where possible to add an extra layer of security. After upgrading, confirm the vulnerability is resolved by attempting to access credentials via the web service interface and verifying that access is denied.
Update exacqVision Web Service to a non-vulnerable version. Consult the Johnson Controls advisory for more information and the patched version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-27664 is a critical vulnerability in exacqVision Web Service versions 21.06.11.0–21.06.11.0 that allows unauthenticated attackers to access stored credentials.
If you are running exacqVision Web Service version 21.06.11.0–21.06.11.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of exacqVision Web Service as soon as it becomes available. Implement temporary mitigations like restricting network access until the upgrade is complete.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the official exacqVision security advisory for detailed information and updates: [https://www.exacq.com/security-advisories/](https://www.exacq.com/security-advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.