CVE-2019-3702

high-risk

Published 2019-05-13

A Remote Code Execution issue in the DNS Query Web UI in Lifesize Icon LS_RM3_3.7.0 (2421) allows remote authenticated attackers to execute arbitrary commands via a crafted DNS Query address field in a JSON API request.

Do I need to act?

10.6% chance of exploitation in next 30 days

EPSS score — higher than 89% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (3)

Icon 300 Firmware

Icon 500 Firmware

Icon 700 Firmware

Affected Vendors

Lifesize

References (6)

Exploit https://atomic111.github.io/article/lifesize-icon-remote-code-execution

Product https://www.lifesize.com/en/video-conferencing-cameras

Not Applicable https://www.sva.de/solutions/it-security.html

Exploit https://atomic111.github.io/article/lifesize-icon-remote-code-execution

Product https://www.lifesize.com/en/video-conferencing-cameras

Not Applicable https://www.sva.de/solutions/it-security.html

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 11/34 · Low

Exposure 9/34 · Low