Vulnerabilities in Mirasys VMS video management solution
Three different vulnerabilities has been discovered in Mirasys VMS systems. An attacker abusing these vulnerabilities might obtain confidential information or execute malicious code in the target system. Mirasys has released new version of the VMS software that fix the vulnerabilities.
Mirasys is a fully open and manufacturer independent video management solution that integrates with cameras, other devices, and systems from third party suppliers and other manufacturers. Please contact the vendor for more information about the update process.
The vulnerabilities were discovered by Joachim Kerschbaumer, an independent security researcher from Austria. NCSC-FI would like to thank the researcher and the vendor for participating in the coordination.
- Embedded systems
- Servers and server applications
- No authentication required
- Execution of arbitrary commands
- Obtaining of confidential information
Exploit seen live
- Proof of concept
- Software update patch
- Mirasys VMS - V8.3.1 and earlier versions, V7.6.0 and earlier versions.
- Please contact the vendor for more information about the update process.
- Mirasys VMS V8.3.2 resolves two of the three reported vulnerabilities
- Mirasys VMS V8.3.3 resolves the three reported vulnerabilities
- Mirasys VMS V7.6.1 resolves the three reported vulnerabilities.
Contact NCSC-FI Vulnerability coordination at firstname.lastname@example.org. Please mention [FICORA #1086008] in email topic.
More information about NCSC-FI: https://www.ncsc.fi (External link)