CVE-2021-23859
CRITICALBosch Video Management System < 9.0 - Unauthenticated Denial of Service via HTTP Request
Title source: llmDescription
An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html
Scores
CVSS v3
9.1
EPSS
0.0097
EPSS Percentile
57.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-755
CWE-703
Status
published
Products (8)
bosch/access_easy_controller_firmware
< 2.9.1.0
bosch/access_professional_edition
< 3.8.0
bosch/bosch_video_management_system
10.1
bosch/bosch_video_management_system
11.0
bosch/bosch_video_management_system
< 9.0
bosch/building_integration_system
< 4.9
bosch/video_recording_manager
< 3.81
bosch/video_recording_manager_exporter
2.1 - 2.10.0008
Published
Dec 08, 2021
Tracked Since
Feb 18, 2026