CVE-2023-4486 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2023-4486?

CVE-2023-4486 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-4486?

Check the references section above for vendor advisories and patch information. Affected products include: Johnsoncontrols Nae55 Firmware, Johnsoncontrols Nae55, Johnsoncontrols Sne22000 Firmware, Johnsoncontrols Sne22000, Johnsoncontrols Sne11000 Firmware.

Vulnerability Description

Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Johnsoncontrols	Nae55 Firmware	< 12.0.4
Johnsoncontrols	Nae55	-
Johnsoncontrols	Sne22000 Firmware	< 12.0.4
Johnsoncontrols	Sne22000	-
Johnsoncontrols	Sne11000 Firmware	< 12.0.4
Johnsoncontrols	Sne11000	-
Johnsoncontrols	Sne10500 Firmware	< 12.0.4
Johnsoncontrols	Sne10500	-
Johnsoncontrols	Sne110L0 Firmware	< 12.0.4
Johnsoncontrols	Sne110L0	-
Johnsoncontrols	Snc25150-0 Firmware	< 12.0.4
Johnsoncontrols	Snc25150-0	-
Johnsoncontrols	Snc25150-04 Firmware	< 12.0.4
Johnsoncontrols	Snc25150-04	-
Johnsoncontrols	Snc16120-0 Firmware	< 12.0.4
Johnsoncontrols	Snc16120-0	-
Johnsoncontrols	Snc16120-04 Firmware	< 12.0.4
Johnsoncontrols	Snc16120-04	-
Johnsoncontrols	F4-Snc Firmware	< 11.0.6
Johnsoncontrols	F4-Snc	-

Related Weaknesses (CWE)

CWE-770 CWE-400

References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03Third Party AdvisoryUS Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisoriesVendor Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03Third Party AdvisoryUS Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisoriesVendor Advisory

FAQ

What is CVE-2023-4486?

CVE-2023-4486 is a vulnerability with a CVSS score of 7.5 (HIGH). Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and ...

How severe is CVE-2023-4486?

CVE-2023-4486 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-4486?

Check the references section above for vendor advisories and patch information. Affected products include: Johnsoncontrols Nae55 Firmware, Johnsoncontrols Nae55, Johnsoncontrols Sne22000 Firmware, Johnsoncontrols Sne22000, Johnsoncontrols Sne11000 Firmware.