Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Vulnerabilities Expose exacqVision Video Surveillance Systems to Remote Attacks

Researchers at cybersecurity firm Tenable have discovered critical and high-severity vulnerabilities in video surveillance systems made by Exacq Technologies, which is owned by building technology giant Johnson Controls.

Researchers at cybersecurity firm Tenable have discovered critical and high-severity vulnerabilities in video surveillance systems made by Exacq Technologies, which is owned by building technology giant Johnson Controls.

Tenable’s Zero-Day Research Team discovered two security flaws in the exacqVision web service used by Exacq products. Advisories describing the vulnerabilities were published recently by Tenable, Johnson Controls [1,2], and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

According to Tenable, the affected web service is designed to allow users to fetch video and other data from exacqVision servers using a web browser. The web service acts as an intermediary between the web client and the server.

Tenable researchers discovered that if the exacqVision server is configured with a so-called passthrough account, which can be used to remotely connect to the server, an unauthenticated attacker can abuse it to access the server with the privileges of this passthrough account.

“If the passthrough account has high privileges (i.e., Full Admin role), the attacker can have more access to the exacqVision server, including adding a user with Full Admin role,” Tenable explained in its advisory. “Even if the passthrough account has low privileges (i.e., Restricted role), the attacker can still see more privileged information. For example, only a user in the Full Admin or Power User role can configure video archiving, but a lower privileged user can see the Direct Search username and password that is part of the archiving configuration.”

The second vulnerability has been described as a DoS issue that can be exploited by a remote, unauthenticated attacker to crash a server by sending specially crafted messages.

Tenable told SecurityWeek that attacks can be launched directly from the internet against systems that are accessible from the internet, but the company could not provide any information regarding the exposure level of these systems.

“If an attacker were to find a vulnerable instance of the exaqVision software exposed to the internet, they would potentially be able to obtain administrative level access to the software without authentication. This would allow them to make configuration changes, steal data, disrupt access to the exaqVision software, or disable it entirely,” Tenable explained.

The vulnerabilities were reported to the vendor in late July and patches were developed roughly one month later. According to Johnson Controls, the vulnerabilities affect the 32-bit version of exacqVision Server and older. Users can update to version 21.9 or upgrade to the 64-bit version to prevent exploitation of the flaws.

Related: Vulnerability Allows Remote Hacking of Annke Video Surveillance Product

Related: Critical Vulnerability Found in Sunhillo Aerial Surveillance Product

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.