ICSA-20-021-01_Honeywell Maxpro VMS & NVR
Act Now9.8ICS-CERT ICSA-20-021-01Jan 21, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SQL injection vulnerability in Honeywell MAXPRO VMS and NVR systems allows unauthenticated remote attackers to execute arbitrary SQL commands against the backend database. Affected products include MAXPRO NVR SE, NVR XE, NVR PE, MPNVRSWXX, and HNMSWVMS/HNMSWVMSLT variants running versions prior to NVR 5.6 Build 595 T2-Patch and VMS 560 Build 595 T2-Patch. The vulnerability enables attackers to read, modify, or delete video footage, user accounts, system configuration, and other database contents. No known public exploits are currently active.
What this means
What could happen
An attacker could execute arbitrary SQL commands on the Honeywell MAXPRO video management system or network video recorder, potentially allowing them to access, modify, or delete recorded video footage, user credentials, and system configuration data. This could compromise physical security monitoring capabilities and audit trails at the facility.
Who's at risk
This affects any organization running Honeywell MAXPRO video management systems or network video recorders (NVR models SE, XE, PE and VMS 560 variants) for physical security monitoring. Security teams, facilities management, and municipal/industrial operators that rely on video surveillance for site monitoring and incident investigation should prioritize remediation.
How it could be exploited
An attacker with network access to the VMS or NVR web interface (typically port 80/443) can inject malicious SQL commands into input fields or parameters. No authentication is required. The injected SQL executes against the backend database, allowing the attacker to read, modify, or delete database contents including video metadata, user accounts, and system settings.
Prerequisites
- Network access to the MAXPRO VMS or NVR web interface (port 80 or 443)
- The affected product must be running a version prior to NVR 5.6 Build 595 T2-Patch or VMS560 Build 595 T2-Patch
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)SQL injection vulnerability (CWE-89)affects security monitoring systems
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
HNMSWVMS: prior to< VMS560 Build 595 T2-PatchVMS 560 Build 595 T2-Patch
HNMSWVMSLT: prior to< VMS560 Build 595 T2-PatchVMS 560 Build 595 T2-Patch
MAXPRO NVR SE: prior to< NVR 5.6 Build 595 T2-PatchNVR 5.6 Build 595 T2-Patch
MAXPRO NVR XE: prior to< NVR 5.6 Build 595 T2-PatchNVR 5.6 Build 595 T2-Patch
MAXPRO NVR PE: prior to< NVR 5.6 Build 595 T2-PatchNVR 5.6 Build 595 T2-Patch
MPNVRSWXX: prior to< NVR 5.6 Build 595 T2-PatchNVR 5.6 Build 595 T2-Patch
Remediation & Mitigation
0/5
Do now
0/3HARDENINGIsolate MAXPRO VMS and NVR systems from the Internet or place them behind a firewall/DMZ
HARDENINGIf remote access is required, use a VPN or encrypted tunnel to the network segment containing the VMS/NVR
HARDENINGRestrict network access to the VMS and NVR web interfaces to authorized management workstations only
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate MAXPRO NVR to version 5.6 Build 595 T2-Patch or later
HOTFIXUpdate MAXPRO VMS to version VMS560 Build 595 T2-Patch or later
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1108b994-9119-41cd-9e46-46748842e42d