Connect with us

Hi, what are you looking for?


IoT Security

Vulnerabilities Expose exacqVision Video Surveillance Systems to Remote Attacks

Researchers at cybersecurity firm Tenable have discovered critical and high-severity vulnerabilities in video surveillance systems made by Exacq Technologies, which is owned by building technology giant Johnson Controls.

Researchers at cybersecurity firm Tenable have discovered critical and high-severity vulnerabilities in video surveillance systems made by Exacq Technologies, which is owned by building technology giant Johnson Controls.

Tenable’s Zero-Day Research Team discovered two security flaws in the exacqVision web service used by Exacq products. Advisories describing the vulnerabilities were published recently by Tenable, Johnson Controls [1,2], and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

According to Tenable, the affected web service is designed to allow users to fetch video and other data from exacqVision servers using a web browser. The web service acts as an intermediary between the web client and the server.

Tenable researchers discovered that if the exacqVision server is configured with a so-called passthrough account, which can be used to remotely connect to the server, an unauthenticated attacker can abuse it to access the server with the privileges of this passthrough account.

“If the passthrough account has high privileges (i.e., Full Admin role), the attacker can have more access to the exacqVision server, including adding a user with Full Admin role,” Tenable explained in its advisory. “Even if the passthrough account has low privileges (i.e., Restricted role), the attacker can still see more privileged information. For example, only a user in the Full Admin or Power User role can configure video archiving, but a lower privileged user can see the Direct Search username and password that is part of the archiving configuration.”

The second vulnerability has been described as a DoS issue that can be exploited by a remote, unauthenticated attacker to crash a server by sending specially crafted messages.

Tenable told SecurityWeek that attacks can be launched directly from the internet against systems that are accessible from the internet, but the company could not provide any information regarding the exposure level of these systems.

“If an attacker were to find a vulnerable instance of the exaqVision software exposed to the internet, they would potentially be able to obtain administrative level access to the software without authentication. This would allow them to make configuration changes, steal data, disrupt access to the exaqVision software, or disable it entirely,” Tenable explained.

Advertisement. Scroll to continue reading.

The vulnerabilities were reported to the vendor in late July and patches were developed roughly one month later. According to Johnson Controls, the vulnerabilities affect the 32-bit version of exacqVision Server and older. Users can update to version 21.9 or upgrade to the 64-bit version to prevent exploitation of the flaws.

Related: Vulnerability Allows Remote Hacking of Annke Video Surveillance Product

Related: Critical Vulnerability Found in Sunhillo Aerial Surveillance Product

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.