These advisories highlight severe security flaws with CVSS v4 scores ranging from 8.5 to 8.7, exposing critical infrastructure across multiple sectors to potential cyberattacks and unauthorized access. Johnson Controls has released specific mitigation instructions through Product Security Advisory, recommending removal of Full control and Write permissions for non-administrator accounts on the C:\CouchDB\bin path. While no known public exploitation has been reported for these vulnerabilities, their high CVSS scores and widespread deployment across critical infrastructure sectors necessitate immediate attention and remediation efforts. of Blue Team Alpha LLC discovered and reported this vulnerability, which requires local access but provides complete system compromise upon successful exploitation. This CWE-79 classified vulnerability allows attackers to steal session tokens and potentially control the entire service remotely with low attack complexity. The CVE-2024-22774 vulnerability, scoring 8.5 on CVSS v4, enables standard users to escalate privileges to NT Authority/SYSTEM through DLL hijacking techniques. Notably, Leviton has not responded to CISA’s requests for collaboration on mitigation strategies, leaving users to contact customer support independently for additional information and patches. The CWE-276 vulnerability provides insufficient protection of directories containing executables under certain circumstances. Johnson Controls’ C- CURE 9000 Site Server exposes executable directories with incorrect default permissions.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 18 Jul 2025 10:00:15 +0000