CVE-2019-13523

moderate-risk
Published 2019-09-26

In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, and HPW2P1. Affected Performance Series NVRs: HEN08104,HEN08144,HEN081124,HEN16104,HEN16144,HEN16184,HEN16204,HEN162244,HEN16284,HEN16304,HEN16384,HEN32104,HEN321124,HEN32204,HEN32284,HEN322164,HEN32304, HEN32384,HEN323164,HEN64204,HEN64304,HEN643164,HEN643324,HEN643484,HEN04103,HEN04113,HEN04123,HEN08103,HEN08113,HEN08123,HEN08143,HEN16103,HEN16123,HEN16143,HEN16163,HEN04103L,HEN08103L,HEN16103L,HEN32103L.

Do I need to act?

-
0.21% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Hbd3Pr2 Firmware
H4D3Prv3 Firmware
Hed3Pr3 Firmware
H4D3Prv2 Firmware
Hbd3Pr1 Firmware
H4W8Pr2 Firmware
Hbw8Pr2 Firmware
H2W2Pc1M Firmware
H2W4Per3 Firmware
H2W2Per3 Firmware
Hew2Per3 Firmware
Hew4Per3B Firmware
Hbw2Per1 Firmware
Hew4Per2 Firmware
Hew4Per2B Firmware
Hew2Per2 Firmware
H4W2Per2 Firmware
Hbw2Per2 Firmware
H4W2Per3 Firmware
Hpw2P1 Firmware

Affected Vendors

Honeywell

References (2)

Mitigation https://www.us-cert.gov/ics/advisories/icsa-19-260-03
Mitigation https://www.us-cert.gov/ics/advisories/icsa-19-260-03
49
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 27/34 · High