Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-0912

CVE-2024-0912: C-CURE 9000 Information Disclosure Flaw

CVE-2024-0912 is an information disclosure vulnerability in Johnson Controls C-CURE 9000 SiteServer that exposes Windows credentials in IIS logs. This article covers the technical details, affected systems, and mitigation.

Updated: January 22, 2026

CVE-2024-0912 Overview

CVE-2024-0912 is a high-severity information disclosure vulnerability affecting the Johnson Controls C•CURE 9000 Web Server. Under certain circumstances, the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. This sensitive data exposure could allow attackers with local access to harvest credentials and potentially escalate privileges or move laterally within the network.

The vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File), indicating that the application writes sensitive authentication data to log files that may be accessible to unauthorized parties. There is no impact to non-web service interfaces for C•CURE 9000 or prior versions.

Critical Impact

Windows credentials logged in plaintext within IIS logs could enable credential theft, privilege escalation, and lateral movement in enterprise environments using C•CURE 9000 physical access control systems.

Affected Products

  • Johnson Controls Software House C•CURE 9000 SiteServer version 3.00.2
  • C•CURE 9000 Web Server components hosted on Microsoft IIS
  • Environments using Windows authentication with C•CURE 9000 Web Server

Discovery Timeline

  • June 6, 2024 - CVE-2024-0912 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2024-0912

Vulnerability Analysis

This vulnerability represents a classic information disclosure flaw where sensitive authentication credentials are inadvertently written to log files. The C•CURE 9000 Web Server, when hosted on Microsoft IIS, fails to properly sanitize or exclude Windows credential information from being captured in server logs under certain operational conditions.

The root cause stems from improper handling of authentication data during the logging process. When users authenticate to the C•CURE 9000 Web Server using Windows credentials, the logging mechanism captures more information than necessary, including sensitive credential details that should never be persisted to disk.

Physical access control systems like C•CURE 9000 are critical infrastructure components often deployed in sensitive environments including government facilities, healthcare organizations, and financial institutions. Credential exposure in these contexts poses significant risks to overall security posture.

Root Cause

The vulnerability originates from CWE-532 (Insertion of Sensitive Information into Log File). The IIS logging configuration for the C•CURE 9000 Web Server does not properly filter or mask Windows authentication credentials before writing them to log files. This occurs because the application fails to implement appropriate data sanitization controls in the authentication workflow, allowing credential information to be captured in verbose logging output.

Attack Vector

The attack vector is local, requiring an attacker to have access to the system where the IIS logs are stored. An attacker with local access to the server hosting C•CURE 9000 Web Server could:

  1. Access IIS log files stored on the local file system
  2. Parse log entries to extract Windows credential information
  3. Use harvested credentials for authentication to other systems
  4. Escalate privileges within the domain if administrative credentials are captured
  5. Move laterally through the network using compromised credentials

The exploitation does not require network-based attacks but does require privileged local access and user interaction to trigger the logging condition. This limits the attack surface but does not diminish the severity when credentials of high-privilege users are exposed.

Detection Methods for CVE-2024-0912

Indicators of Compromise

  • Unusual access patterns to IIS log directories (%SystemDrive%\inetpub\logs\LogFiles)
  • Log file exfiltration attempts or large-scale log file reads
  • Authentication attempts using credentials that were previously only used for C•CURE 9000 access
  • Evidence of credential harvesting tools targeting IIS log locations

Detection Strategies

  • Monitor file access events on IIS log directories for unauthorized read operations
  • Implement file integrity monitoring (FIM) on C•CURE 9000 Web Server log locations
  • Audit administrative access to systems hosting C•CURE 9000 Web Server
  • Deploy endpoint detection and response (EDR) solutions to identify credential harvesting activities

Monitoring Recommendations

  • Enable Windows Security Event logging for file access (Event ID 4663) on IIS log directories
  • Configure SIEM alerts for bulk log file access or copying operations
  • Review access control lists on IIS log directories to ensure principle of least privilege
  • Implement SentinelOne Singularity to monitor for suspicious file access patterns and credential theft techniques

How to Mitigate CVE-2024-0912

Immediate Actions Required

  • Review and restrict access permissions to IIS log directories immediately
  • Rotate all Windows credentials that may have been logged during the vulnerable period
  • Audit IIS log files for exposed credential information and securely delete affected logs
  • Implement network segmentation to limit access to systems hosting C•CURE 9000 Web Server

Patch Information

Johnson Controls has issued a security advisory addressing this vulnerability. Administrators should consult the Johnson Controls Security Advisory JCI-PSA-2024-04 for specific patch information and remediation guidance. CISA has also published an Industrial Control Systems advisory with additional details available at CISA ICS Advisory ICSA-24-135-03.

Organizations should prioritize applying vendor-provided patches and follow the recommended upgrade path to address the credential logging issue in the C•CURE 9000 Web Server configuration.

Workarounds

  • Restrict file system access to IIS log directories to only essential administrative accounts
  • Configure IIS logging to exclude sensitive fields where possible
  • Implement log rotation policies to minimize the window of credential exposure
  • Consider disabling verbose logging on the C•CURE 9000 Web Server until patches are applied
  • Use dedicated service accounts with limited privileges for C•CURE 9000 Web Server authentication
bash
# Restrict IIS log directory permissions (example)
icacls "%SystemDrive%\inetpub\logs\LogFiles" /inheritance:r
icacls "%SystemDrive%\inetpub\logs\LogFiles" /grant:r "SYSTEM:(OI)(CI)F"
icacls "%SystemDrive%\inetpub\logs\LogFiles" /grant:r "Administrators:(OI)(CI)F"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechJohnsoncontrols
  • SeverityHIGH
  • CVSS Score8.5
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityLow
  • CWE References
  • CWE-532
  • Technical References
  • CISA ICS Advisory ICSA-24-135-03
  • Johnson Controls Security Advisory JCI-PSA-2024-04
  • Related CVEs
  • CVE-2023-4804: Quantum HD Unity Information Disclosure
  • CVE-2026-21657: Frick Quantum HD Firmware RCE Vulnerability
  • CVE-2026-21658: Frick Quantum HD Firmware RCE Vulnerability
  • CVE-2026-21659: Frick Controls Quantum HD RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English