Vulnerability Details CVE-2017-14263
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.244
EPSS Ranking 95.8%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 9.3
References
Products affected by CVE-2017-14263
-
cpe:2.3:h:honeywell:enterprise_dvr:-
-
cpe:2.3:h:honeywell:fusion_iv_rev_c:-
-
cpe:2.3:h:honeywell:maxpro_nvr_hybrid_se:-
-
cpe:2.3:h:honeywell:maxpro_nvr_hybrid_xe:-
-
cpe:2.3:h:honeywell:maxpro_nvr_pe:-
-
cpe:2.3:h:honeywell:maxpro_nvr_se:-
-
cpe:2.3:h:honeywell:maxpro_nvr_xe:-
-
cpe:2.3:o:honeywell:enterprise_dvr_firmware:-
-
cpe:2.3:o:honeywell:fusion_iv_rev_c_firmware:-
-
cpe:2.3:o:honeywell:maxpro_nvr_hybrid_se_firmware:-
-
cpe:2.3:o:honeywell:maxpro_nvr_hybrid_xe_firmware:-
-
cpe:2.3:o:honeywell:maxpro_nvr_pe_firmware:-
-
cpe:2.3:o:honeywell:maxpro_nvr_se_firmware:-
-
cpe:2.3:o:honeywell:maxpro_nvr_xe_firmware:-