CVE-2021-23847

moderate-risk
Published 2021-06-09

A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device. Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.

Do I need to act?

-
0.46% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (9)

Cpp6 Firmware
Cpp6 Firmware
Cpp6 Firmware
Cpp7 Firmware
Cpp7 Firmware
Cpp7 Firmware
Cpp7.3 Firmware
Cpp7.3 Firmware
Cpp7.3 Firmware

Affected Vendors

Bosch

References (2)

Vendor Advisory https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html
Vendor Advisory https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html
49
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 15/34 · Moderate