MOBOTIX HUB Event Server - possible Remote Code Execution by an authenticated user
Publication Date: 09.05.2023
MOBOTIX has released a software update for MOBOTIX HUB VMS, which fixes a security vulnerability with a
possible Remote Code Execution by an authenticated user on the Event Server service.
AFFECTED PRODUCTS AND SOLUTIONS
- MOBOTIX HUB Event Server 2023 R1
- MOBOTIX HUB Event Server 2022 R3
- MOBOTIX HUB Event Server 2022 R2
- MOBOTIX HUB Event Server 2022 R1
- MOBOTIX HUB Event Server 2021 R2
- MOBOTIX HUB Event Server 2021 R1
- MOBOTIX HUB Event Server 2020 R3
- MOBOTIX HUB Event Server 2020 R2
WORKAROUNDS AND MITIGATIONS
There are currently no known workarounds. Please update your system with the latest MOBOTIX HUB Security Patch 2023R1!
Check the Release Notes for more infos:
GENERAL SECURITY RECOMMENDATIONS
As a general security measure MOBOTIX strongly recommends protecting network access to affected
products with appropriate mechanisms. It is advised to follow the security practices recommended in the
MOBOTIX Hardening Guide to run the devices in a protected IT environment.
Please check our latest Version of Cyber Security & Data Protection:
The event server handles various tasks related to events, alarms, and maps and perhaps also third-party
integrations via the MIP SDK.
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS
v3.1) (https://www.first.org/cvss). The CVSS environmental score is specific to the customer’s environment
and will impact the overall CVSS score. The environmental score should therefore be individually defined
by the customer to accomplish final scoring.
At the time of advisory publication, no public exploitation of this security vulnerability was known.
MOBOTIX confirms the security vulnerability and provides mitigations to resolve the security issue.
CVSS v3.1 Base Score 9.9
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
For further inquiries on security vulnerabilities in MOBOTIX Systems products, please contact MOBOTIX Support.