Security News > 2020 > January > Honeywell Maxpro VMS/NVR systems vulnerable to hijacking

Honeywell Maxpro VMS/NVR systems vulnerable to hijacking
2020-01-22 10:50

Honeywell's Maxpro VMS and NVR, network video recorders and video management systems deployed in commercial, manufacturing and energy facilities around the world, sport critical vulnerabilities that may allow attackers to take control of them.

Patches available for the Honeywell Maxpro vulnerabilities.

CVE-2020-6960, a SQL injection vulnerability that could be exploited by attackers to achieve remote access to the devices' web user interface with administrator-level privileges.

Honeywell assigned somewhat lesser CVSS scores to the vulnerabilities, as it claims they can be exploited only by skilled hackers.

Users are advised to upgrade MAXPRO VMS and NVR to versions R560 and 5.6, respectively, before applying the T2-Patch.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/tJxxFLBMwSI/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-01-22 CVE-2020-6960 SQL Injection vulnerability in Honeywell products
The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch contain an SQL injection vulnerability that could give an attacker remote unauthenticated access to the web user interface with administrator-level privileges.
network
low complexity
honeywell CWE-89
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Honeywell 190 1 15 39 23 78