Vulnerabilities > CVE-2020-6959 - Deserialization of Untrusted Data vulnerability in Honeywell products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

honeywell

CWE-502

NVD

Published: 2020-01-22

Updated: 2020-02-05

Summary

The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch are vulnerable to an unsafe deserialization of untrusted data. An attacker may be able to remotely modify deserialized data without authentication using a specially crafted web request, resulting in remote code execution.

Vulnerable Configurations

Part	Description	Count
OS	Honeywell Honeywell Maxpro NVR XE Firmware 5.6 Honeywell Maxpro NVR SE Firmware 5.6 Honeywell Maxpro NVR PE Firmware 5.6 Honeywell Mpnvrswxx Firmware 5.6 Honeywell Hnmswvms Firmware Vms560 Honeywell Hnmswvmslt Firmware Vms560	6
Hardware	Honeywell Honeywell Maxpro NVR XE - Honeywell Maxpro NVR SE - Honeywell Maxpro NVR PE - Honeywell Mpnvrswxx - Honeywell Hnmswvms - Honeywell Hnmswvmslt -	6

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://www.us-cert.gov/ics/advisories/icsa-20-021-01

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Related news

References