cbcvebase.
CVE-2021-27664
published 2021-10-11

CVE-2021-27664: Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.50%
71.1th percentile
Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.

Affected

2 ranges
VendorProductVersion rangeFixed in
johnson_controlsexacqvision_web_service21.06.11.0 – 21.06.11.0
johnsoncontrolsexacqvision_web_service<= 20.06.11.0

Detection & IOCsextracted from sources · hover to see the quote

  • Target affected product: exacqVision Web Service Version 21.06.11.0 or older is vulnerable to unauthenticated remote credential access
  • Vulnerability class is Improper Privilege Management (CWE-269) allowing unauthenticated remote access to stored credentials — monitor for unauthenticated requests to exacqVision Web Service endpoints that return or expose credential data
  • No known public exploits exist at time of advisory — prioritize detection of anomalous unauthenticated access patterns against exacqVision Web Service
  • ·Vulnerability is only triggered under certain configurations — not all deployments are exposed
  • ·CVSS v3 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects network-exploitable, no-auth, no-interaction attack surface — treat any internet-exposed exacqVision Web Service as critically at risk

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.