Controller Broadcasts Personal Information During Factory Reset
CVE-2024-32754

3.1LOW

Key Information:

Vendor: Johnson Controls
Status: Kantech Kt1 Door Controller, Rev01; Kantech Kt2 Door Controller, Rev01; Kantech Kt400 Door Controller, Rev01
Vendor: CVE Published:; 4 July 2024

What is CVE-2024-32754?

Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information.

Affected Version(s)

Kantech KT1 Door Controller, Rev01 0 <= 2.09.10

Kantech KT2 Door Controller, Rev01 0 <= 2.09.10

Kantech KT400 Door Controller, Rev01 0 <= 3.01.16

References

https://www.johnsoncontrols.com/trust-center/cybersecurit...

https://www.cisa.gov/news-events/ics-advisories/icsa-24-1...

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 4, 2024
Vulnerability Reserved
Apr 17, 2024

Credit

National Computer Emergency Response Team (CERT) of India

Johnson Controls

What is CVE-2024-32754?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit