/

CVE-2023-2025 Report - Details, Severity, & Advisories...

CVE-2023-2025 Report - Details, Severity, & Advisories

Twingate Team

Jan 11, 2024

CVE-2023-2025 is a medium-severity vulnerability affecting OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75. Under certain circumstances, this vulnerability may expose sensitive information to unauthorized users through API calls. The affected systems are part of the OpenBlue Enterprise Manager Data Collector by Johnson Controls.

How do I know if I'm affected?

If you're using the OpenBlue Enterprise Manager Data Collector software and want to know if you're affected by this vulnerability, simply check your software version. The affected versions are those prior to 3.2.5.75. If your version is older than 3.2.5.75, you may be at risk of exposing sensitive information to unauthorized users under certain circumstances.

What should I do if I'm affected?

If you're affected by this vulnerability, update your OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Contact Johnson Controls to obtain the update. To minimize risk, ensure your devices aren't accessible from the internet, place them behind firewalls, and use secure methods like VPNs for remote access.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-2025 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness enumeration

The weakness enumerations for this vulnerability are categorized as CWE-668 which involves exposing resources to the wrong sphere, and CWE-200 which involves revealing sensitive information to unauthorized actors.

For more details

CVE-2023-2025 is a medium-severity vulnerability that may expose sensitive information to unauthorized users in certain situations. To learn more about this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the links below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2023-2025 Report - Details, Severity, & Advisories...

CVE-2023-2025 Report - Details, Severity, & Advisories

Twingate Team

Jan 11, 2024

CVE-2023-2025 is a medium-severity vulnerability affecting OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75. Under certain circumstances, this vulnerability may expose sensitive information to unauthorized users through API calls. The affected systems are part of the OpenBlue Enterprise Manager Data Collector by Johnson Controls.

How do I know if I'm affected?

If you're using the OpenBlue Enterprise Manager Data Collector software and want to know if you're affected by this vulnerability, simply check your software version. The affected versions are those prior to 3.2.5.75. If your version is older than 3.2.5.75, you may be at risk of exposing sensitive information to unauthorized users under certain circumstances.

What should I do if I'm affected?

If you're affected by this vulnerability, update your OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Contact Johnson Controls to obtain the update. To minimize risk, ensure your devices aren't accessible from the internet, place them behind firewalls, and use secure methods like VPNs for remote access.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-2025 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness enumeration

The weakness enumerations for this vulnerability are categorized as CWE-668 which involves exposing resources to the wrong sphere, and CWE-200 which involves revealing sensitive information to unauthorized actors.

For more details

CVE-2023-2025 is a medium-severity vulnerability that may expose sensitive information to unauthorized users in certain situations. To learn more about this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the links below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2023-2025 Report - Details, Severity, & Advisories

Twingate Team

Jan 11, 2024

CVE-2023-2025 is a medium-severity vulnerability affecting OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75. Under certain circumstances, this vulnerability may expose sensitive information to unauthorized users through API calls. The affected systems are part of the OpenBlue Enterprise Manager Data Collector by Johnson Controls.

How do I know if I'm affected?

If you're using the OpenBlue Enterprise Manager Data Collector software and want to know if you're affected by this vulnerability, simply check your software version. The affected versions are those prior to 3.2.5.75. If your version is older than 3.2.5.75, you may be at risk of exposing sensitive information to unauthorized users under certain circumstances.

What should I do if I'm affected?

If you're affected by this vulnerability, update your OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Contact Johnson Controls to obtain the update. To minimize risk, ensure your devices aren't accessible from the internet, place them behind firewalls, and use secure methods like VPNs for remote access.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-2025 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness enumeration

The weakness enumerations for this vulnerability are categorized as CWE-668 which involves exposing resources to the wrong sphere, and CWE-200 which involves revealing sensitive information to unauthorized actors.

For more details

CVE-2023-2025 is a medium-severity vulnerability that may expose sensitive information to unauthorized users in certain situations. To learn more about this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the links below.