CVE-2020-6785
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code on affected systems by exploiting DLL hijacking in Bosch BVMS and related products. It affects both the installer and installed application, potentially compromising video management systems. Organizations using vulnerable versions of Bosch BVMS, BVMS Viewer, and DIVAR IP devices are at risk.
💻 Affected Systems
- Bosch BVMS
- Bosch BVMS Viewer
- Bosch DIVAR IP 7000 R2
- Bosch DIVAR IP all-in-one 5000
- Bosch DIVAR IP all-in-one 7000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or malware execution by an attacker with access to the system, potentially disrupting video surveillance operations.
If Mitigated
Limited impact if proper access controls and patching are in place, reducing the attack surface to trusted users only.
🎯 Exploit Status
Exploitation requires local access to place a malicious DLL in a search path, but no public exploits are known as of the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BVMS 10.1.1 or later
Vendor Advisory: https://psirt.bosch.com/security-advisories/bosch-sa-835563-bt.html
Restart Required: Yes
Instructions:
1. Download and install BVMS 10.1.1 or later from Bosch. 2. Apply the update to all affected systems. 3. Restart the systems to ensure changes take effect.
🔧 Temporary Workarounds
Restrict DLL Search Path
windowsModify system settings to prevent loading DLLs from untrusted directories, reducing the risk of hijacking.
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'SafeDllSearchMode' -Value 1
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges and prevent unauthorized file writes.
- Monitor for suspicious DLL loading events and use application whitelisting to block untrusted executables.
🔍 How to Verify
Check if Vulnerable:
Check the installed BVMS version via the application interface or system registry; versions 10.1.0 or older indicate vulnerability.Check Version:
wmic product where name like '%BVMS%' get versionVerify Fix Applied:
Confirm the version is 10.1.1 or later and test for DLL hijacking by attempting to place a benign DLL in a search path to see if it loads.📡 Detection & Monitoring
Log Indicators:
- Event logs showing DLL loading from unusual paths or failed integrity checks
Network Indicators:
- Unusual outbound connections from BVMS processes post-exploitation
SIEM Query:
EventID=4688 AND ProcessName LIKE '%bvms%' AND CommandLine CONTAINS 'dll'