Cisco has put out a warning about numerous vulnerabilities in its Network Building Mediator (NBM) products that could lead to malicious parties taking complete control over affected devices.
The NBM connects a building's operations with IT to help with a facility's sustainability, energy consumption and efficiency.
In an advisory note, Cisco explained that certain security gaps allow unauthorised users to change a device's configuration.
"A malicious user must authenticate as an existing user but does not need to have administrator privileges or know administrator credentials to modify device configuration," the company noted.
Other vulnerabilities mean that interactions between an operator workstation and the Cisco Network Building Mediator could be intercepted by any willing person.
"A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device," Cisco explained.
Other threats include potential password theft and account data loss.
Specifically, all weaknesses affect the legacy Richards-Zeta Mediator 2500 product and Cisco Network Building Mediator NBM-2400 and NBM-4800 models as well as Mediator Framework software releases prior to 3.1.1.
The NBM is a version of the Richards-Zeta Mediator that has been adapted by Cisco.
Given that the "workarounds" offered by Cisco are somewhat limited, affected firms will want to get hold of the free software updates that the provider has issued to deal with the security holes.
