CVE-2017-14263CVE-2017-14263

Affected configuration(s):

cpe:/o:honeywell:enterprise_dvr_firmware:-
cpe:/o:honeywell:fusion_iv_rev_c_firmware:-
cpe:/o:honeywell:maxpro_nvr_hybrid_se_firmware:-
cpe:/o:honeywell:maxpro_nvr_hybrid_xe_firmware:-
cpe:/o:honeywell:maxpro_nvr_pe_firmware:-
cpe:/o:honeywell:maxpro_nvr_se_firmware:-
cpe:/o:honeywell:maxpro_nvr_xe_firmware:-

Date published: 2017-09-11T05:29:00.717-04:00

Date last modified: 2017-09-18T12:43:25.590-04:00

CVSS Score: 9.3

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: https://github.com/zzz66686/Honeywell_NVR_vul

Summary: Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device.

CategoriesUncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.