CVE-2017-14263
First published: Mon Sep 11 2017(Updated: )
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Honeywell Enterprise Dvr Firmware | ||
| Honeywell Enterprise Dvr | ||
| Honeywell Maxpro Nvr Hybrid Se Firmware | ||
| Honeywell Maxpro Nvr Hybrid Se | ||
| Honeywell Maxpro Nvr Hybrid Xe Firmware | ||
| Honeywell Maxpro Nvr Hybrid Xe | ||
| Honeywell Maxpro Nvr Se Firmware | ||
| Honeywell Maxpro Nvr Se | ||
| Honeywell Maxpro Nvr Xe Firmware | ||
| Honeywell Maxpro Nvr Xe | ||
| Honeywell Fusion Iv Rev C Firmware | ||
| Honeywell Fusion Iv Rev C | ||
| Honeywell Maxpro Nvr Pe Firmware | ||
| Honeywell Maxpro Nvr Pe |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-14263?
CVE-2017-14263 has been classified as a medium severity vulnerability that affects Honeywell NVR devices.
How do I fix CVE-2017-14263?
To fix CVE-2017-14263, ensure that you update the affected Honeywell NVR firmware to the latest version provided by Honeywell.
Which devices are affected by CVE-2017-14263?
CVE-2017-14263 affects specific Honeywell NVR devices including those with Enterprise DVR, Maxpro NVR Hybrid SE, XE, and other related firmware versions.
What type of attack does CVE-2017-14263 enable?
CVE-2017-14263 enables remote attackers to create unauthorized user accounts with admin privileges on vulnerable Honeywell NVR devices.
Can CVE-2017-14263 be exploited without physical access?
Yes, CVE-2017-14263 can be exploited remotely by leveraging access to a guest account.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/honeywell
- canonical/honeywell enterprise dvr firmware
- canonical/honeywell enterprise dvr
- canonical/honeywell maxpro nvr hybrid se firmware
- canonical/honeywell maxpro nvr hybrid se
- canonical/honeywell maxpro nvr hybrid xe firmware
- canonical/honeywell maxpro nvr hybrid xe
- canonical/honeywell maxpro nvr se firmware
- canonical/honeywell maxpro nvr se
- canonical/honeywell maxpro nvr xe firmware
- canonical/honeywell maxpro nvr xe
- canonical/honeywell fusion iv rev c firmware
- canonical/honeywell fusion iv rev c
- canonical/honeywell maxpro nvr pe firmware
- canonical/honeywell maxpro nvr pe