What is JAVS Viewer?
Justice AV Solutions (JAVS) is a U.S.-based company providing audio-visual recording systems for courtrooms, government hearing rooms, and law enforcement facilities. JAVS Viewer is a software client installed on workstations in these environments to replay and manage audio-video recordings of legal proceedings. Because courtroom recording systems capture privileged attorney-client communications, sensitive testimony, and sealed hearing content, the machines running JAVS software frequently have access to highly sensitive legal and government data. The JAVS installer is typically distributed from the company's official website and used by court administrators at state and federal facilities.
Overview
CVE-2024-4978 is a supply chain compromise of the JAVS Viewer installer: attackers replaced the legitimate FFmpeg audio library bundled with the installer with a trojanized version that establishes a backdoor connection to a malicious command-and-control server. Organizations that downloaded and installed the compromised JAVS Viewer package deployed malware on systems used in courtrooms and government facilities. Rapid7 discovered the attack on May 23, 2024; JAVS took down the compromised installer and CISA added it to the KEV catalog six days later.
Affected Versions
| Component | Status |
|---|---|
| JAVS Viewer 8.3.7 installer (SHA256: 421a4ad2...) | Malicious — do not use |
| JAVS Viewer (clean, re-verified versions) | Safe to use after full reinstallation |
The malicious component is fffmpeg.exe (note: three f's) with SHA256 421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4.
Technical Details
CWE-506 (Embedded Malicious Code). The legitimate JAVS Viewer installer bundles FFmpeg as a media processing component. Attackers compromised the build/distribution process and replaced the legitimate ffmpeg.exe with a malicious binary named fffmpeg.exe — a subtle typo designed to avoid casual inspection. When an administrator runs the installer (which requires elevation, reflected in PR:H), the malicious fffmpeg.exe is deployed to the system.
At runtime, fffmpeg.exe establishes an outbound connection to an attacker-controlled command-and-control server, providing the attacker with persistent backdoor access to the infected workstation. The C2 connection can be used to: exfiltrate documents and recordings accessible from the courtroom workstation, deploy additional malware, establish persistence via scheduled tasks or registry entries, and pivot to other systems on the court or government network.
The CVSS score reflects the supply chain attack vector — the "High Privileges Required" (PR:H) is attributed to the installer requiring admin rights, and Scope Changed (S:C) reflects that the impact extends beyond the installer itself to the broader system and network.
Discovery
Discovered by Rapid7's threat intelligence and incident response team, which identified the trojanized installer on the JAVS website. After responsible disclosure, JAVS immediately removed the compromised package and issued guidance for affected users. The attack represents a targeted supply chain compromise of software specifically used in sensitive government and legal contexts.
Exploitation Context
Supply chain attacks on software distributed to government and legal institutions are high-value for espionage actors because: the targets have access to sealed court records, classified proceedings, and sensitive legal communications; courtroom workstations are rarely monitored with the same rigor as corporate endpoints; and installing malware via an officially-signed installer from a legitimate vendor bypasses most endpoint controls. The specific targeting of JAVS — used in U.S. federal and state courts — suggests a sophisticated actor with interest in legal proceedings or government intelligence.
Remediation
- Immediately identify all systems where JAVS Viewer was installed — check software inventory for JAVS Viewer installations, particularly version 8.3.7.
- Check for
fffmpeg.exe(three f's) in the JAVS installation directory — its presence confirms the system is compromised. - For all systems with the malicious installer: perform a full system reimaging rather than simply removing the software — assume persistent malware has been installed.
- Do not simply uninstall and reinstall — reinstall only on freshly imaged systems using the verified clean installer from the JAVS website after confirming the hash of the download.
- Rotate credentials on any accounts that were logged in on compromised JAVS workstations — assume those credentials were captured by the backdoor.
- Review network logs for outbound connections from JAVS workstations to unusual external IPs since the installation date.
- Contact JAVS support for guidance on verified clean installer packages and additional indicators of compromise.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-4978 |
| Vendor / Product | Justice AV Solutions — Viewer |
| NVD Published | 2024-05-23 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.4 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-506 find similar ↗ |
| CISA KEV Added | 2024-05-29 |
| CISA KEV Deadline | 2024-06-19 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-05-23 | Rapid7 discovers and discloses CVE-2024-4978; JAVS takes down compromised installer |
| 2024-05-29 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2024-06-19 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| JAVS Downloads — Verified Clean Installer | Vendor Advisory |
| Rapid7 — CVE-2024-4978 Supply Chain Attack Analysis | Security Research |
| NVD — CVE-2024-4978 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |