CVE-2021-23859

moderate-risk
Published 2021-12-08

An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (8)

Bosch Video Management System
Bosch Video Management System
Bosch Video Management System
Video Recording Manager
Access Easy Controller Firmware
Access Professional Edition
Building Integration System
Video Recording Manager Exporter

Affected Vendors

Bosch

References (2)

Vendor Advisory https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html
Vendor Advisory https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html
46
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 1/34 · Minimal
Exposure 14/34 · Moderate