Author: Marius Creutznacher
| Risk Category: High | Document ID: QSYS-04-29-9001 |
| Document Version: 1.0 | |
| Document Status: Final |
Description:
Q-SYS Core Processors do not require an administrator to set up remote authentication during configuration. This could allow a remote, unauthenticated attacker to perform one or more of the following privileged actions:
- Unauthenticated Packet Capture
- Unauthenticated Configuration Manipulation
- Unauthenticated Factory Reset
- Unauthenticated Device Reboot
- Unauthenticated Service Enablement
- Sensitive Information Disclosure
- Unauthenticated Network Configuration Manipulation
These actions may allow an attacker to compromise the confidentiality, integrity, or availability of affected devices.
| CVE ID: | CVSS Vectors: | Score: |
| CVE-2026-41529 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/ SI:N/SA:H/AU:Y/R:U |
9.9 |
Impacted Product Name
Q-SYS Core Processors
Impacted Versions
All
Impacts on Installed System
Systems may become unstable, disclose sensitive information, or allow unauthorized modification of the impacted device's configuration.
How to Diagnose Installed System
Check Core Manager or Designer Configurator if your system is running without Access Control. If Access Control is disabled, your system is vulnerable to the issues listed above.
Note: If Access Control is Enabled, authentication is required to exploit the vulnerability.
Mitigation
Enable Access Control
Refer to the Q-SYS Secure Deployment Guide available at the following location for more information on securing a Q-SYS installation: Secure Deployment Guide
Updated Version
Update to Q-SYS Designer version 10.2.1 to use added notification mechanism in Q-SYS Core Manager or Q-SYS Designer Software to check against Access Control state.
Attribution
The issues were identified by Andrew Furlani, a security researcher who focuses on AV systems and solutions.
Acuity knows of no exploitation of these vulnerabilities.
LEGAL DISCLAIMER:
THIS CONTENT IS PROVIDED ON AN "AS IS" BASIS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED WITHOUT ANY WARRANTY OF ANY KIND. THE CONTENT IS INTENDED FOR USERS OF ACUITY PRODUCTS WHO POSSESS THE PROFESSIONAL SKILLS AND JUDGMENT NECESSARY TO INTERPRET THE INFORMATION AND DETERMINE THE APPROPRIATE STEPS TO TAKE. USE OF THE INFORMATION IS AT THE USER'S OWN RISK. THE AUTHOR RESERVES THE RIGHT TO UPDATE OR DELETE THIS CONTENT AT ANY TIME.
