CVE-2019-6814
📋 TL;DR
This vulnerability allows remote attackers to bypass authentication on NET55XX Encoder devices by sending specially crafted requests to the web interface. Attackers could gain unauthorized access to the device, potentially compromising confidentiality, integrity, and availability. Organizations using NET55XX Encoders with firmware versions prior to 2.1.9.7 are affected.
💻 Affected Systems
- Schneider Electric NET55XX Encoder
📦 What is this software?
Net5500 Firmware by Schneider Electric
Net5501 Firmware by Schneider Electric
Net5501 I Firmware by Schneider Electric
Net5501 Xt Firmware by Schneider Electric
Net5504 Firmware by Schneider Electric
Net5508 Firmware by Schneider Electric
Net5516 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the encoder device allowing attackers to manipulate video streams, disable surveillance, exfiltrate sensitive footage, or use the device as an entry point into the network.
Likely Case
Unauthorized access to the encoder web interface allowing configuration changes, video stream manipulation, or device disruption.
If Mitigated
Limited impact if device is isolated from untrusted networks and proper network segmentation is implemented.
🎯 Exploit Status
CWE-287 indicates improper authentication, suggesting attackers can bypass login mechanisms without credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.9.7
Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2019-134-01/
Restart Required: Yes
Instructions:
1. Download firmware version 2.1.9.7 from Schneider Electric website. 2. Access encoder web interface. 3. Navigate to firmware update section. 4. Upload and apply the new firmware. 5. Reboot the device after update completes.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to encoder web interface using firewall rules.
Access Control Lists
allImplement IP-based access control to limit which systems can connect to the encoder.
🧯 If You Can't Patch
- Isolate the encoder on a separate VLAN with strict firewall rules
- Implement network monitoring for unusual access patterns to the encoder web interface
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: Login > System Information > Firmware VersionCheck Version:
No CLI command - check via web interface System Information pageVerify Fix Applied:
Confirm firmware version shows 2.1.9.7 or higher in System Information📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access
- Configuration changes from unexpected IP addresses
- Unusual access patterns to encoder web interface
Network Indicators:
- HTTP requests to encoder web interface from unauthorized IPs
- Unusual traffic patterns to encoder management ports
SIEM Query:
source_ip=* AND dest_ip=ENCODER_IP AND (http_method=POST OR http_method=GET) AND url_path CONTAINS "/webui/" AND NOT source_ip IN ALLOWED_IPS