ICSA-20-021-01_Honeywell Maxpro VMS & NVR

Plan PatchCVSS 9.8ICS-CERT ICSA-20-021-01Jan 21, 2020

Honeywell

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SQL injection vulnerability in Honeywell MAXPRO VMS and NVR systems allows unauthenticated remote attackers to execute arbitrary SQL commands against the backend database. Affected products include MAXPRO NVR SE, NVR XE, NVR PE, MPNVRSWXX, and HNMSWVMS/HNMSWVMSLT variants running versions prior to NVR 5.6 Build 595 T2-Patch and VMS 560 Build 595 T2-Patch. The vulnerability enables attackers to read, modify, or delete video footage, user accounts, system configuration, and other database contents. No known public exploits are currently active.

What this means

What could happen

An attacker could execute arbitrary SQL commands on the Honeywell MAXPRO video management system or network video recorder, potentially allowing them to access, modify, or delete recorded video footage, user credentials, and system configuration data. This could compromise physical security monitoring capabilities and audit trails at the facility.

Who's at risk

This affects any organization running Honeywell MAXPRO video management systems or network video recorders (NVR models SE, XE, PE and VMS 560 variants) for physical security monitoring. Security teams, facilities management, and municipal/industrial operators that rely on video surveillance for site monitoring and incident investigation should prioritize remediation.

How it could be exploited

An attacker with network access to the VMS or NVR web interface (typically port 80/443) can inject malicious SQL commands into input fields or parameters. No authentication is required. The injected SQL executes against the backend database, allowing the attacker to read, modify, or delete database contents including video metadata, user accounts, and system settings.

Prerequisites

Network access to the MAXPRO VMS or NVR web interface (port 80 or 443)
The affected product must be running a version prior to NVR 5.6 Build 595 T2-Patch or VMS560 Build 595 T2-Patch

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)SQL injection vulnerability (CWE-89)affects security monitoring systems

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

HNMSWVMS: prior to< VMS560 Build 595 T2-PatchVMS 560 Build 595 T2-Patch

HNMSWVMSLT: prior to< VMS560 Build 595 T2-PatchVMS 560 Build 595 T2-Patch

MAXPRO NVR SE: prior to< NVR 5.6 Build 595 T2-PatchNVR 5.6 Build 595 T2-Patch

MAXPRO NVR XE: prior to< NVR 5.6 Build 595 T2-PatchNVR 5.6 Build 595 T2-Patch

MAXPRO NVR PE: prior to< NVR 5.6 Build 595 T2-PatchNVR 5.6 Build 595 T2-Patch

MPNVRSWXX: prior to< NVR 5.6 Build 595 T2-PatchNVR 5.6 Build 595 T2-Patch

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate MAXPRO VMS and NVR systems from the Internet or place them behind a firewall/DMZ

HARDENINGIf remote access is required, use a VPN or encrypted tunnel to the network segment containing the VMS/NVR

HARDENINGRestrict network access to the VMS and NVR web interfaces to authorized management workstations only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MAXPRO NVR to version 5.6 Build 595 T2-Patch or later

HOTFIXUpdate MAXPRO VMS to version VMS560 Build 595 T2-Patch or later

CVEs (2)

CVE-2020-6959 CVE-2020-6960

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1108b994-9119-41cd-9e46-46748842e42d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.