CISA warns of critical flaws in Johnson Controls' C-CURE 9000 software enabling unauthorized building access and system control.
Multiple critical security flaws in Johnson Controls' C-CURE 9000 access control software could let attackers bypass building security systems. The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory confirming unauthenticated attackers can exploit these vulnerabilities to gain full system control.
Two vulnerabilities carry maximum severity ratings:
- CVE-2023-4808 (CVSS v3.1: 9.8): Authentication bypass allowing admin privileges without credentials
- CVE-2023-4809 (CVSS v3.1: 9.8): SQL injection flaw enabling remote code execution
Affected versions include all C-CURE 9000 releases prior to 3.00. This enterprise software manages physical security for commercial facilities worldwide, including door controls, surveillance integration, and credential management. Successful exploitation could grant attackers unrestricted access to secured buildings, disable alarms, or manipulate security logs.
Johnson Controls released patched version 3.00 on October 4, 2023. CISA mandates immediate upgrade for all impacted systems. Organizations unable to patch immediately should isolate C-CURE servers behind firewalls and restrict network access. No workarounds exist for these vulnerabilities.
CISA's alert follows coordinated disclosure through the agency's vulnerability reporting program. Technical details are documented in Johnson Controls' security bulletin. Critical infrastructure operators should prioritize remediation given the physical security implications.
Timeline:
- September 2023: Vulnerabilities reported to CISA
- October 4, 2023: Patches released (C-CURE 9000 v3.00)
- October 25, 2023: Public advisory issued
Security teams should verify installation of the updated software across all C-CURE deployments. Continuous monitoring for unusual authentication patterns or database queries is recommended.
Comments
Please log in or register to join the discussion