High

Analysis Summary

CVE-2024-32756 CVSS:6.8

Johnson Controls Illustra Essentials Gen 4 could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of passwords in recoverable format. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain Linux users credentials information, and use this information to launch further attacks against the affected system.

CVE-2024-32755 CVSS:9.1

Johnson Controls Illustra Essentials Gen 4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation by the the web interface. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2024-32932 CVSS:6.8

Johnson Controls Illustra Essentials Gen 4 could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of passwords in recoverable format. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain Linux users credentials information, and use this information to launch further attacks against the affected system.

CVE-2024-32757 CVSS:6.8

Johnson Controls Illustra Essentials Gen 4 could allow a remote authenticated attacker to obtain sensitive information, caused by the insertion of user details in the system log file. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain users information, and use this information to launch further attacks against the affected system.

Impact

• Information Disclosure
• Gain Access

Indicators of Compromise

CVE

• CVE-2024-32756
• CVE-2024-32755
• CVE-2024-32932
• CVE-2024-32757

Affected Vendors

Affected Products

• Johnson Controls Illustra Essentials Gen 4

Remediation

Upgrade to the latest version of Illustra Essentials Gen, available from the Johnson Controls Website.

Johnson Controls Website