Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32752", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2024-04-17T17:26:35.180Z", "datePublished": "2024-06-06T20:49:53.476Z", "dateUpdated": "2025-04-24T20:05:35.350Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "iSTAR Configuration Utility (ICU)", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "All", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "affected", "product": "iSTAR Pro, Edge and eX", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "All", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "affected", "product": "iSTAR Ultra and Ultra LT", "vendor": "Johnson Controls", "versions": [{"lessThan": "6.6.B", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Reid Wightman"}], "datePublic": "2025-04-24T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The iSTAR door controllers running firmware prior to version 6.6.B, does not support authenticated\ncommunications with ICU, which may allow an attacker to gain unauthorized access"}], "value": "The iSTAR door controllers running firmware prior to version 6.6.B, does not support authenticated\ncommunications with ICU, which may allow an attacker to gain unauthorized access"}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248: Command Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2025-04-24T20:05:35.350Z"}, "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-04"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\u2022 Replace the iSTAR Pro, Edge and eX door controllers with a current generation iSTAR door controller (such\nas iSTAR Ultra G2) which supports authentication and prevents the ICU from making configuration\nchanges.\n<br>\u2022 Ensure your iSTAR Ultra and Ultra LT door controllers are running firmware 6.6.B or greater. \n\n<br>"}], "value": "\u2022 Replace the iSTAR Pro, Edge and eX door controllers with a current generation iSTAR door controller (such\nas iSTAR Ultra G2) which supports authentication and prevents the ICU from making configuration\nchanges.\n\n\u2022 Ensure your iSTAR Ultra and Ultra LT door controllers are running firmware 6.6.B or greater."}], "source": {"discovery": "UNKNOWN"}, "title": "Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "johnsoncontrols", "product": "software_house_istar_pro_door_controller", "cpes": ["cpe:2.3:h:johnsoncontrols:software_house_istar_pro_door_controller:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "all", "status": "affected"}]}, {"vendor": "johnsoncontrols", "product": "icu", "cpes": ["cpe:2.3:h:johnsoncontrols:icu:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "all", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-07T16:00:39.441305Z", "id": "CVE-2024-32752", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T16:15:20.239Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.187Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2024/jci-psa-2024-06.pdf", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-04", "tags": ["x_transferred"]}]}]}}