Uncontrolled Resource Consumption in Metasys and Facility Explorer
CVE-2023-4486

7.5HIGH

Key Information:

Vendor: Johnson Controls
Status: Metasys NAE55/SNE/SNC; Facility Explorer F4-SNC
Vendor: CVE Published:; 7 December 2023

What is CVE-2023-4486?

A vulnerability exists in Johnson Controls' Metasys and Facility Explorer products, where invalid authentication credentials can be sent to the login endpoint. This issue may lead to denial-of-service conditions, disrupting the normal operations of affected systems. Specifically, it impacts Metasys NAE55, SNE, and SNC engines before version 12.0.4, as well as Facility Explorer F4-SNC engines before versions 11.0.6 and 12.0.4. To mitigate risks, users are advised to apply available patches and monitor for any unauthorized access attempts.

Affected Version(s)

Facility Explorer F4-SNC 12.0 < 12.0.4

Facility Explorer F4-SNC 11.0 < 11.0.6

Metasys NAE55/SNE/SNC 12.0 < 12.0.4

References

https://www.johnsoncontrols.com/cyber-solutions/security-...

https://www.cisa.gov/news-events/ics-advisories/icsa-23-3...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 7, 2023
Vulnerability Reserved
Aug 22, 2023