Improper Authentication for OpenBlue Enterprise Manager Data Collector
CVE-2023-2024

10CRITICAL

Key Information:

Vendor: Johnson Controls
Status: Openblue Enterprise Manager Data Collector
Vendor: CVE Published:; 18 May 2023

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-2024?

The OpenBlue Enterprise Manager Data Collector suffers from an improper authentication vulnerability, which can potentially allow unauthorized users to gain access to sensitive information or systems in certain scenarios. This issue affects versions prior to 3.2.5.75, emphasizing the need for users to update to the latest version to mitigate security risks. For more detailed information, refer to the security advisories provided by Johnson Controls and the Cybersecurity and Infrastructure Security Agency (CISA).

Affected Version(s)

OpenBlue Enterprise Manager Data Collector 0 < 3.2.5.75

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-2024
Created by team890

References

https://www.johnsoncontrols.com/cyber-solutions/security-...

https://www.cisa.gov/news-events/ics-advisories/icsa-23-1...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Dec 4, 2023
👾
Exploit known to exist
Dec 4, 2023
Vulnerability published
May 18, 2023
Vulnerability Reserved
Apr 13, 2023

Credit

Rushank Shetty, Security Researcher at Northwestern Mutual