Security News > 2020 > January > Honeywell Maxpro VMS/NVR systems vulnerable to hijacking
Honeywell's Maxpro VMS and NVR, network video recorders and video management systems deployed in commercial, manufacturing and energy facilities around the world, sport critical vulnerabilities that may allow attackers to take control of them.
Patches available for the Honeywell Maxpro vulnerabilities.
CVE-2020-6960, a SQL injection vulnerability that could be exploited by attackers to achieve remote access to the devices' web user interface with administrator-level privileges.
Honeywell assigned somewhat lesser CVSS scores to the vulnerabilities, as it claims they can be exploited only by skilled hackers.
Users are advised to upgrade MAXPRO VMS and NVR to versions R560 and 5.6, respectively, before applying the T2-Patch.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/tJxxFLBMwSI/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-22 | CVE-2020-6960 | SQL Injection vulnerability in Honeywell products The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch contain an SQL injection vulnerability that could give an attacker remote unauthenticated access to the web user interface with administrator-level privileges. | 9.8 |