CERT-In Vulnerability Note
CIVN-2023-0121
Multiple Vulnerabilities in Milesight Network Video Recorder (NVR)
Original Issue Date:April 27, 2023
Severity Rating: CRITICAL
Software Affected
- Milesight 4K/H.265 Series NVR model MS-Nxxxx-xxG firmware versions prior to 77.9.0.18-r2
- Milesight 4K/H.265 Series NVR model MS-Nxxxx-xxE firmware versions prior to 75.9.0.18-r2
- Milesight 4K/H.265 Series NVR model MS-Nxxxx-xxT firmware versions prior to 72.9.0.18-r2
- Milesight 4K/H.265 Series NVR model MS-Nxxxx-xxH firmware versions prior to 71.9.0.18-r2
- Milesight 4K/H.265 Series NVR model MS-Nxxxx-xxC firmware versions prior to 73.9.0.18-r2
Overview
Multiple vulnerabilities have been reported in Milesight Network Video Recorder (NVR), which could allow remote attacker to account takeover and perform unauthorized activities on the targeted device.
Description
These vulnerabilities exists in Milesight Network Video Recorder (NVR) due to a weak password reset mechanism and improper authorization at the Milesight NVR web-based management interface. A remote attacker could exploit these vulnerabilities by sending a specially crafted http requests on the targeted device.
Successful exploitation of these vulnerabilities could allow remote attacker to take over Milesight NVR cameras and perform unauthorized activities on the targeted device.
Credit: This vulnerability is reported by Souvik Kandar and Arko Dhar from Redinent Innovations Engineering & Research Team, Karnataka, India.
Solution
Update Milesight NVR firmware to latest version
https://www.milesight.com/support/download/firmware
Vendor Information
Milesight
https://www.milesight.com/support/download/firmware
References
Milesight
https://www.milesight.com/support/download/firmware
CVE Name
CVE-2023-30466
CVE-2023-30467
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|