Description
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-update feature of IDVRUpdateService2 in DVRServer.exe. An attacker can upload files with a Setup-Files action, and then execute these files with SYSTEM privileges.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.kyberturvallisuuskeskus.fi/en/vulnerabilities-mirasys-vms-video-management-solution
Scores
CVSS v3
9.8
EPSS
0.0044
EPSS Percentile
63.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
mirasys/mirasys_vms
< 7.6.1
Published
Aug 22, 2019
Tracked Since
Feb 18, 2026