CVE-2024-32754

Johnson Controls Kantech KT1, KT2, and KT400 Door Controllers - Exposure of Sensitive Information

Description

Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information.

Remediation

Solution:

  • Update Kantech door controllers as follows: * Update Kantech KT1 Door Controller to at least version 3.10.12 * Update Kantech KT2 Door Controller to at least version 3.10.12 * Update Kantech KT400 Door Controller to at least version 3.03

Category

3.1
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.04%
Affected: Johnson Controls Kantech KT1 Door Controller, Rev01
Affected: Johnson Controls Kantech KT2 Door Controller, Rev01
Affected: Johnson Controls Kantech KT400 Door Controller, Rev01
Published at:
Updated at:

References

Link Tags
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-01

Frequently Asked Questions

What is the severity of CVE-2024-32754?
CVE-2024-32754 has been scored as a low severity vulnerability.
How to fix CVE-2024-32754?
To fix CVE-2024-32754: Update Kantech door controllers as follows: * Update Kantech KT1 Door Controller to at least version 3.10.12 * Update Kantech KT2 Door Controller to at least version 3.10.12 * Update Kantech KT400 Door Controller to at least version 3.03
Is CVE-2024-32754 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-32754 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-32754?
CVE-2024-32754 affects Johnson Controls Kantech KT1 Door Controller, Rev01, Johnson Controls Kantech KT2 Door Controller, Rev01, Johnson Controls Kantech KT400 Door Controller, Rev01.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.