Johnson Controls Facility Explorer (ICSA-19-022-01)

The NCCIC has published an advisory on path traversal and improper authentication vulnerabilities in Johnson Controls Facility Explorer. Versions 14.x prior to 14.4u1 and 6.x prior to 6.6 are affected. Successful exploitation of these vulnerabilities could allow an attacker to read, write, and delete sensitive files to gain administrator privileges in the Facility Explorer system. Johnson Controls has mitigated these vulnerabilities in the updated versions, which the NCCIC recommends users upgrade to. The NCCIC also advises on a series of mitigating measures for this vulnerability. Read the advisory at NCCIC/ICS-CERT.