/

CVE-2023-2025 Report - Details, Severity, Advisories and More

CVE-2023-2025 Report - Details, Severity, Advisories and More

Twingate Team

Jan 11, 2024

CVE-2023-2025 is a medium-severity vulnerability affecting OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75. Under certain circumstances, this vulnerability may expose sensitive information to unauthorized users through API calls. The affected systems are part of the OpenBlue Enterprise Manager Data Collector by Johnson Controls. To better understand this vulnerability, you can refer to the NVD page and the CISA advisory for more information.

How do I know if I'm affected?

If you're using the OpenBlue Enterprise Manager Data Collector software and want to know if you're affected by this vulnerability, simply check your software version. The affected versions are those prior to 3.2.5.75. If your version is older than 3.2.5.75, you may be at risk of exposing sensitive information to unauthorized users under certain circumstances.

What should I do if I'm affected?

If you're affected by this vulnerability, update your OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Contact Johnson Controls to obtain the update. To minimize risk, ensure your devices aren't accessible from the internet, place them behind firewalls, and use secure methods like VPNs for remote access.

Where can I go to learn more?

For more information and related resources, check out the following references:

  • NVD - CVE-2023-2025: Provides details about the vulnerability, its severity, and affected software configurations, along with advisories, solutions, and tools.

  • Johnson Controls OpenBlue Enterprise Manager Data Collector | CISA: Offers information about the vulnerabilities associated with the product, risk evaluation, technical details, affected products, and recommended mitigations.

  • Product Security Advisories: Lists product security advisories from Johnson Controls, detailing vulnerabilities and security issues in their products and solutions. Users can report potential vulnerabilities and sign up for email notifications.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-2025 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness enumeration

The weakness enumerations for this vulnerability are categorized as CWE-668 which involves exposing resources to the wrong sphere, and CWE-200 which involves revealing sensitive information to unauthorized actors.

For more details

CVE-2023-2025 is a medium-severity vulnerability that may expose sensitive information to unauthorized users in certain situations. To learn more about this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page for comprehensive information.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2023-2025 Report - Details, Severity, Advisories and More

CVE-2023-2025 Report - Details, Severity, Advisories and More

Twingate Team

Jan 11, 2024

CVE-2023-2025 is a medium-severity vulnerability affecting OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75. Under certain circumstances, this vulnerability may expose sensitive information to unauthorized users through API calls. The affected systems are part of the OpenBlue Enterprise Manager Data Collector by Johnson Controls. To better understand this vulnerability, you can refer to the NVD page and the CISA advisory for more information.

How do I know if I'm affected?

If you're using the OpenBlue Enterprise Manager Data Collector software and want to know if you're affected by this vulnerability, simply check your software version. The affected versions are those prior to 3.2.5.75. If your version is older than 3.2.5.75, you may be at risk of exposing sensitive information to unauthorized users under certain circumstances.

What should I do if I'm affected?

If you're affected by this vulnerability, update your OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Contact Johnson Controls to obtain the update. To minimize risk, ensure your devices aren't accessible from the internet, place them behind firewalls, and use secure methods like VPNs for remote access.

Where can I go to learn more?

For more information and related resources, check out the following references:

  • NVD - CVE-2023-2025: Provides details about the vulnerability, its severity, and affected software configurations, along with advisories, solutions, and tools.

  • Johnson Controls OpenBlue Enterprise Manager Data Collector | CISA: Offers information about the vulnerabilities associated with the product, risk evaluation, technical details, affected products, and recommended mitigations.

  • Product Security Advisories: Lists product security advisories from Johnson Controls, detailing vulnerabilities and security issues in their products and solutions. Users can report potential vulnerabilities and sign up for email notifications.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-2025 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness enumeration

The weakness enumerations for this vulnerability are categorized as CWE-668 which involves exposing resources to the wrong sphere, and CWE-200 which involves revealing sensitive information to unauthorized actors.

For more details

CVE-2023-2025 is a medium-severity vulnerability that may expose sensitive information to unauthorized users in certain situations. To learn more about this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page for comprehensive information.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2023-2025 Report - Details, Severity, Advisories and More

Twingate Team

Jan 11, 2024

CVE-2023-2025 is a medium-severity vulnerability affecting OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75. Under certain circumstances, this vulnerability may expose sensitive information to unauthorized users through API calls. The affected systems are part of the OpenBlue Enterprise Manager Data Collector by Johnson Controls. To better understand this vulnerability, you can refer to the NVD page and the CISA advisory for more information.

How do I know if I'm affected?

If you're using the OpenBlue Enterprise Manager Data Collector software and want to know if you're affected by this vulnerability, simply check your software version. The affected versions are those prior to 3.2.5.75. If your version is older than 3.2.5.75, you may be at risk of exposing sensitive information to unauthorized users under certain circumstances.

What should I do if I'm affected?

If you're affected by this vulnerability, update your OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Contact Johnson Controls to obtain the update. To minimize risk, ensure your devices aren't accessible from the internet, place them behind firewalls, and use secure methods like VPNs for remote access.

Where can I go to learn more?

For more information and related resources, check out the following references:

  • NVD - CVE-2023-2025: Provides details about the vulnerability, its severity, and affected software configurations, along with advisories, solutions, and tools.

  • Johnson Controls OpenBlue Enterprise Manager Data Collector | CISA: Offers information about the vulnerabilities associated with the product, risk evaluation, technical details, affected products, and recommended mitigations.

  • Product Security Advisories: Lists product security advisories from Johnson Controls, detailing vulnerabilities and security issues in their products and solutions. Users can report potential vulnerabilities and sign up for email notifications.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-2025 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness enumeration

The weakness enumerations for this vulnerability are categorized as CWE-668 which involves exposing resources to the wrong sphere, and CWE-200 which involves revealing sensitive information to unauthorized actors.

For more details

CVE-2023-2025 is a medium-severity vulnerability that may expose sensitive information to unauthorized users in certain situations. To learn more about this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page for comprehensive information.