CVE-2015-6970

CRITICAL

Bosch Security Systems NBN-498 Dinion2X - XML Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6970. PoCs published by neom22.

AI-analyzed exploit summary This exploit demonstrates an XML injection vulnerability in Bosch Security Systems' Dinion NBN-498 camera web interface. The PoC shows how arbitrary XML data can be injected into the `idstring` parameter of the `rcp.xml` endpoint, potentially leading to unauthorized data manipulation or information disclosure.

Description

The web interface in Bosch Security Systems NBN-498 Dinion2X Day/Night IP Cameras with H.264 Firmware 4.54.0026 allows remote attackers to conduct XML injection attacks via the idstring parameter to rcp.xml.

Exploits (1)

exploitdb WORKING POC

by neom22 · textwebappshardware

https://www.exploit-db.com/exploits/38369

View Code ZIP pw:eip

This exploit demonstrates an XML injection vulnerability in Bosch Security Systems' Dinion NBN-498 camera web interface. The PoC shows how arbitrary XML data can be injected into the `idstring` parameter of the `rcp.xml` endpoint, potentially leading to unauthorized data manipulation or information disclosure.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Bosch Dinion NBN-498 IP Camera (Firmware 4.54.0026)

No auth needed

Prerequisites: Network access to the target camera's web interface

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/38369/

Scores

CVSS v3 9.8

EPSS 0.0943

EPSS Percentile 93.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-91

Status published

Products (1)

boschsecurity/nbn-498_dinion2x_day\/night_ip_cameras_firmware 4.54.0026

Published Feb 18, 2020

Tracked Since Feb 18, 2026