Vulnerabilities > CVE-2021-27661 - Incorrect Authorization vulnerability in Johnsoncontrols F4-Snc Firmware 11

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

johnsoncontrols

CWE-863

NVD

Published: 2021-07-01

Updated: 2021-07-07

Summary

Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.

Vulnerable Configurations

Part	Description	Count
OS	Johnsoncontrols Johnsoncontrols F4 SNC Firmware 11	1
Hardware	Johnsoncontrols Johnsoncontrols F4 SNC -	1

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://www.johnsoncontrols.com/cyber-solutions/security-advisories
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01