CVE-2020-6770

high-risk

Published 2020-02-07

Deserialization of Untrusted Data in the BVMS Mobile Video Service (BVMS MVS) allows an unauthenticated remote attacker to execute arbitrary code on the system. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000 and DIVAR IP 7000 if a vulnerable BVMS version is installed.

Do I need to act?

11.3% chance of exploitation in next 30 days

EPSS score — higher than 89% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 10.0/10 Critical

NETWORK / LOW complexity

Affected Products (3)

Bosch Video Management System Mobile Video Service

Divar Ip 3000 Firmware

Divar Ip 7000 Firmware

Affected Vendors

Bosch

References (2)

Vendor Advisory https://psirt.bosch.com/security-advisories/BOSCH-SA-885551-BT.html

/ 100

high-risk

Severity 33/34 · Critical

Exploitability 11/34 · Low

Exposure 9/34 · Low