Johnson Controls recently announced patches for a critical vulnerability found by an external researcher in some of its industrial refrigeration products.

According to advisories published by Johnson Controls and the US cybersecurity agency CISA, the flaw, tracked as CVE-2023-4804, can “allow an unauthorized user to access debug features that were accidentally exposed”.

Impacted products include Frick Quantum HD Unity Compressor, AcuAir, Condenser/Vessel, Evaporator, Engine Room, and Interface control panels. 

Frick refrigeration products are advertised by the vendor for the food and beverage industry. According to CISA, the impacted products are used worldwide, including in the critical manufacturing sector.

Johnson Controls has released updates for each of the impacted control panels to patch the vulnerability, which has been assigned a CVSS score of 10.

The researcher who reported the flaw to Johnson Controls told SecurityWeek that the vulnerability could allow an attacker to take full administrative control of a Quantum HD system.

It’s unclear exactly what an attacker could achieve by exploiting this particular product in a real world environment but, in general, cyberattacks targeting refrigeration systems could be used to cause disruption and financial damage. For example, by changing temperature settings, an attacker could reduce the lifespan or quality of stored goods. 

In the case of Quantum HD products, the researcher said there are at least a handful of systems located in North America that are exposed to the internet and may be vulnerable to attacks. 

According to the researcher, it took Johnson Controls roughly six months to roll out the patches.

“[Johnson Controls International] was a pleasure to work with. First off, they actually have a responsible disclosure process, and a product security team. That’s more than many ICS/SCADA vendors can claim. Their team was very responsive,” the researcher noted. “It took longer than originally anticipated to release the patch, because as they continued to dig in, they found that the impact was wider than originally anticipated and they wanted to fix all the platforms at the same time.”

The researcher also made an interesting point about how the vulnerability may have ended up in a Johnson Controls product. 

“It seems as this was a deeper ‘software supply chain’ issue, as the original vendor was Frick, who was bought by York, who became part of Johnson Controls,” the researcher said. “That speaks to the larger issue of due diligence during mergers and acquisitions.” 

“I was rather surprised to be the first one to have reported the issue, given its low attack complexity. That leads me to believe that they didn’t have visibility to it because it was two levels deep in the noise of acquisitions,” the expert added.

Related: Johnson Controls Ransomware Attack Could Impact DHS

Related: Johnson Controls Hit by Ransomware