Vulnerabilities > CVE-2020-6770 - Deserialization of Untrusted Data vulnerability in Bosch products

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

bosch

CWE-502

critical

NVD

Published: 2020-02-07

Updated: 2020-02-12

Summary

Deserialization of Untrusted Data in the BVMS Mobile Video Service (BVMS MVS) allows an unauthenticated remote attacker to execute arbitrary code on the system. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000 and DIVAR IP 7000 if a vulnerable BVMS version is installed.

Vulnerable Configurations

Part	Description	Count
Application	Bosch Bosch Bosch Video Management System Mobile Video Service 7.5 Bosch Bosch Video Management System Mobile Video Service 8.0.0.329 Bosch Bosch Video Management System Mobile Video Service 9.0.0.827 Bosch Bosch Video Management System Mobile Video Service 10.0.0.1225	4
OS	Bosch Bosch Divar IP 3000 Firmware - Bosch Divar IP 7000 Firmware -	2
Hardware	Bosch Bosch Divar IP 3000 - Bosch Divar IP 7000 -	2

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://psirt.bosch.com/security-advisories/BOSCH-SA-885551-BT.html