PT-2015-3808 · Johnson Controls · Metasys

Billy Rios

Published

2015-03-29

Updated

2015-03-30

CVE-2014-5428

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Johnson Controls Metasys versions 4.1 through 6.5

Description The issue allows remote attackers to execute arbitrary code by uploading a shell script due to an unrestricted file upload vulnerability in unspecified web services.

Recommendations For versions 4.1 through 6.5, restrict access to the web services to minimize the risk of exploitation. As a temporary workaround, consider disabling the file upload functionality until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2014-5428

Affected Products

Metasys

PT-2015-3808 · Johnson Controls · Metasys

CVE-2014-5428

Related Identifiers

Affected Products

References · 2