CVE-2024-32754

Vulnerability

Description

CVE-2024-32754 is an information-exposure vulnerability affecting Kantech KT1, KT2, and KT400 door controllers from Johnson Controls [2]. When a controller is in factory-reset mode waiting for initial configuration, it continually broadcasts its MAC address, serial number, and firmware version over the adjacent network [1][2]. Once the controller has been fully configured, this broadcast stops. The root cause lies in the factory-reset process lacking protection against passive reconnaissance during the setup phase.

Attack

Vector and Prerequisites

Exploitation requires an attacker to be on the same adjacent network as the unconfigured controller [2]. No authentication or user interaction is necessary; the vulnerability is triggered simply by the controller being in its factory-reset state. An attacker with network sniffing capabilities can capture the broadcasted information without any active manipulation of the device.

Impact

Successful capture of the broadcasted data reveals device-identifying information that may be used for further targeted attacks, such as locating vulnerable controllers on a network or mapping internal devices. The disclosure is limited to MAC address, serial number, and firmware version, and does not expose passwords or configuration details. The CVSS v3.1 base score is 3.1 (Low), with a vector string of AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N [2].

Mitigation

Johnson Controls has released firmware updates to address the vulnerability: KT1 and KT2 controllers should be updated to version 3.10.12 or later, and KT400 controllers to version 3.03 or later [2]. The advisory JCI-PSA-2024-13 provides detailed upgrade instructions [1]. Users are also advised to minimize network exposure for control system devices and ensure they are not directly accessible from the internet [2].