CVE-2020-9047

exacqVision Software - Improper Verification of Cryptographic Signature

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability exists that could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior. An attacker with administrative privileges could potentially download and run a malicious executable that could allow OS command injection on the system.

Se presenta una vulnerabilidad que podría permitir una ejecución de código no autorizado o comandos del Sistema Operativo en sistemas que ejecutan exacqVision Web Service versiones 20.06.3.0 y anteriores y exacqVision Enterprise Manager versiones 20.06.3.0 y anteriores. Un atacante con privilegios administrativos podría descargar potencialmente y correr un ejecutable mal20.06.4.0icioso que podría permitir una inyección de comandos del Sistema Operativo en el sistema

*Credits: Michael Norris

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-02-18 CVE Reserved
2020-06-26 CVE Published
2020-07-13 First Exploit
2024-08-04 CVE Updated
2025-02-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-347: Improper Verification of Cryptographic Signature

CAPEC

References (3)

URL	Tag	Source
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Third Party Advisory
https://www.us-cert.gov/ics/advisories/ICSA-20-170-01	Third Party Advisory

URL	Date	SRC
https://github.com/norrismw/CVE-2020-9047	2020-07-13

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Johnsoncontrols Search vendor "Johnsoncontrols"		Exacqvision Enterprise Manager Search vendor "Johnsoncontrols" for product "Exacqvision Enterprise Manager"				<= 20.06.4.0 Search vendor "Johnsoncontrols" for product "Exacqvision Enterprise Manager" and version " <= 20.06.4.0"		-		Affected
Johnsoncontrols Search vendor "Johnsoncontrols"		Exacqvision Web Service Search vendor "Johnsoncontrols" for product "Exacqvision Web Service"				<= 20.06.3.0 Search vendor "Johnsoncontrols" for product "Exacqvision Web Service" and version " <= 20.06.3.0"		-		Affected