![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Rewterz Threat Advisory – Multiple Apple iOS and iPadOS Vulnerabilities
May 22, 2023![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Rewterz Threat Advisory – ICS: Mitsubishi Electric MELSEC WS Series Vulnerability
May 22, 2023![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Rewterz Threat Advisory – Multiple Apple iOS and iPadOS Vulnerabilities
May 22, 2023![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Rewterz Threat Advisory – ICS: Mitsubishi Electric MELSEC WS Series Vulnerability
May 22, 2023Severity
High
Analysis Summary
CVE-2023-2024 CVSS:10
Johnson Controls OpenBlue Enterprise Manager Data Collector could allow a remote attacker to bypass security restrictions, caused by improper authentication validation by the API calls. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVE-2023-2025 CVSS:5
Johnson Controls OpenBlue Enterprise Manager Data Collector could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation by the API calls. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
Impact
- Security Bypass
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-2024
- CVE-2023-2025
Affected Vendors
Johnson Controls
Affected Products
- Johnson Controls OpenBlue Enterprise Manager Data Collector 3.2.5
Remediation
Refer to Johnson Controls Security Advisory for patch, upgrade or suggested workaround information.