The NCCIC has published an advisory on an unquoted search path or element vulnerability in Johnson Controls exacqVision Server. This vulnerability impacts exacqVision server versions 9.6 and 9.8. Successful exploitation of this vulnerability could allow an unauthenticated user to elevate their privileges. Johnson Controls recommends users upgrade to the latest product, version 19.03. The NCCIC also advises of a series of measures for mitigating the vulnerability. Read the advisory at CISA.