CVE-2020-9045

C•CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software.

Description

During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation.

Remediation

Solution:

  • All users should upgrade to the latest version. Please note that while the upgrade will automatically remove the log file, we recommend existing deployments to securely delete the log file from the following path c:\ProgramData\Tyco\InstallerTemp and then change the password for the affected user account.

Category

9.9
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.17%
Vendor Advisory johnsoncontrols.com
Affected: Johnson Controls Software House C•CURE 9000 v2.70
Affected: Johnson Controls American Dynamics victor Video Management System v5.2
Published at:
Updated at:

References

Link Tags
https://www.johnsoncontrols.com/cyber-solutions/security-advisories patch vendor advisory
https://www.us-cert.gov/ics/advisories/ICSA-20-142-01 third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2020-9045?
CVE-2020-9045 has been scored as a critical severity vulnerability.
How to fix CVE-2020-9045?
To fix CVE-2020-9045: All users should upgrade to the latest version. Please note that while the upgrade will automatically remove the log file, we recommend existing deployments to securely delete the log file from the following path c:\ProgramData\Tyco\InstallerTemp and then change the password for the affected user account.
Is CVE-2020-9045 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-9045 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-9045?
CVE-2020-9045 affects Johnson Controls Software House C•CURE 9000 v2.70, Johnson Controls American Dynamics victor Video Management System v5.2.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.