CVE-2024-32754

Name of the Vulnerable Software and Affected Versions KT1, KT2, and KT400 controllers (affected versions not specified)

Description The issue concerns the broadcasting of sensitive information when the controller is in factory reset mode. Specifically, the controller broadcasts its MAC address, serial number, and firmware version under certain circumstances. This behavior stops once the controller is configured. There is no mention of the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited.

Recommendations Update to safer versions as advised by Johnson Controls to protect against the potential exposure of private data when resetting to factory settings. As a temporary workaround, consider restricting access to the controller when it is in factory reset mode to minimize the risk of exploitation.