CVE-2021-23859

CRITICAL

Bosch Video Management System < 9.0 - Improper Exception Handling

Title source: rule

Description

An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859

References (1)

[Vendor Advisory] https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html

Scores

CVSS v3 9.1

EPSS 0.0029

EPSS Percentile 52.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Classification

CWE

CWE-755 CWE-703

Status published

Affected Products (8)

bosch/bosch_video_management_system < 9.0

bosch/bosch_video_management_system

bosch/video_recording_manager < 3.81

bosch/access_easy_controller_firmware < 2.9.1.0

bosch/access_professional_edition < 3.8.0

bosch/building_integration_system < 4.9

bosch/video_recording_manager_exporter < 2.10.0008

Timeline

Published Dec 08, 2021

Tracked Since Feb 18, 2026