Security Advisory related to IP Camera Vulnerability: CVE-2021-23849

Released by Bosch Security and Safety Systems on August 4, 2021

---

Bosch has released a security advisory related to IP Camera Vulnerability: CVE-2021-23849. This vulnerability was found during an internal penetration test and could allow an unauthenticated, remote attacker to trigger actions on an affected system on behalf of another user, which is known as Cross-Site Request Forgery (CSRF). CSRF tricks the victim into clicking a malicious link or opening a malicious website while logged in to the camera. 

According to Bosch, the vulnerability identified affects Bosch IP cameras running on CPP4, CPP6, CPP7, CPP7.3, CPP13, CPP14, and AVIOTEC.

The vulnerability is rated at a CVSS v3.1 base score 7.5 (high).

To address this vulnerability and secure your camera systems, Bosch strongly recommends that users are informed and cameras are updated to a fixed version.

Download the updated firmware in the Download Area.

If a firmware update is not possible, Bosch advises users to refer to section 4 “Solution & Mitigations” of the Security Advisory. Users can download the Security Advisory here: Security Advisory website

Or jump straight to the complete advisory release on Cross Site Request Forgery (CSRF) vulnerability in Bosch IP cameras: BOSCH-SA-033305-BT

The Bosch Product Security Incident Response Team (PSIRT) is actively monitoring this issue. As part of their product security policy, Bosch conducts regular internal and external penetration tests that identify vulnerabilities in firmware or software components of products. This allows Bosch to promptly notify customers and partners about any potential risks before exploitation occurs in the wild. For more details on Bosch’s commitment to keeping your data safe, please see boschtlsi.com/securitypolicy/.

As always, we encourage all Bosch customers to follow boschsecurityadvisories.com/ for the latest security advisories and best practices on self-protection against cyber threats.

Continental Computers is committed to keeping our customers informed on the latest product vulnerabilities as they are discovered by our team and/or reported by third parties and vendors. We work diligently to ensure our customers have the information they need to make educated decisions about their IT infrastructure.

If there is anything we can do for you or any questions you may have regarding this announcement, please don’t hesitate to contact Continental Computers at conticomp.com/contact