CVE-2023-47213

high-risk

Published 2023-11-16

First Corporation's DVRs use a hard-coded password, which may allow a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround.

Do I need to act?

1.4% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Cfr-1004Ea Firmware

Cfr-1008Ea Firmware

Cfr-1016Ea Firmware

Cfr-16Eaa Firmware

Cfr-16Eab Firmware

Cfr-16Eha Firmware

Cfr-16Ehd Firmware

Cfr-4Eaa Firmware

Cfr-4Eaam Firmware

Cfr-4Eab Firmware

Cfr-4Eabc Firmware

Cfr-4Eha Firmware

Cfr-4Ehd Firmware

Cfr-8Eaa Firmware

Cfr-8Eab Firmware

Cfr-8Eha Firmware

Cfr-8Ehd Firmware

Cfr-904E Firmware

Cfr-908E Firmware

Cfr-916E Firmware

Affected Vendors

C-First

References (6)

Third Party Advisory https://jvn.jp/en/vu/JVNVU99077347/

Vendor Advisory https://www.c-first.co.jp/information/ddososhirase/

Vendor Advisory https://www.c-first.co.jp/wp/wp-content/uploads/2023/11/tuushin.pdf

Third Party Advisory https://jvn.jp/en/vu/JVNVU99077347/

Vendor Advisory https://www.c-first.co.jp/information/ddososhirase/

Vendor Advisory https://www.c-first.co.jp/wp/wp-content/uploads/2023/11/tuushin.pdf

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 4/34 · Minimal

Exposure 22/34 · High