CVE-2020-6959
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected MAXPRO VMS and NVR systems by sending specially crafted web requests that exploit unsafe deserialization. It affects multiple MAXPRO video management and network video recorder products running vulnerable software versions. Organizations using these systems for physical security monitoring are at risk.
💻 Affected Systems
- MAXPRO VMS
- MAXPRO NVR XE
- MAXPRO NVR SE
- MAXPRO NVR PE
- MPNVRSWXX
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary code, potentially gaining full control over the VMS/NVR system, accessing video feeds, manipulating recordings, and pivoting to other network systems.
Likely Case
Remote code execution leading to system compromise, data exfiltration, ransomware deployment, or integration into botnets for DDoS attacks.
If Mitigated
Limited impact if systems are isolated, patched, and monitored with proper network segmentation and intrusion detection.
🎯 Exploit Status
The advisory indicates exploitation is possible without authentication via web requests. Given the high CVSS score and RCE nature, weaponization is likely even without public PoC.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: VMS560 Build 595 T2-Patch for VMS products, NVR 5.6 Build 595 T2-Patch for NVR products
Vendor Advisory: https://www.us-cert.gov/ics/advisories/icsa-20-021-01
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Honeywell support portal. 2. Backup system configuration. 3. Apply patch following vendor instructions. 4. Restart the system. 5. Verify patch installation and system functionality.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to affected systems to only trusted management networks
Use firewall rules to block all inbound traffic except from authorized management stations
Web Interface Restriction
allDisable or restrict web interface access if not required
Configure system to disable web services or restrict to localhost only
🧯 If You Can't Patch
- Isolate affected systems in a dedicated VLAN with strict firewall rules allowing only necessary traffic
- Implement network-based intrusion detection/prevention systems to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check system version via web interface or CLI. If version is below VMS560 Build 595 T2-Patch (VMS) or NVR 5.6 Build 595 T2-Patch (NVR), system is vulnerable.Check Version:
Check via web interface System Information page or consult vendor documentation for CLI version checkVerify Fix Applied:
Verify system version shows patched version after update and test system functionality remains intact.📡 Detection & Monitoring
Log Indicators:
- Unusual web request patterns to deserialization endpoints
- System process creation from web service user
- Authentication bypass attempts
Network Indicators:
- HTTP requests with serialized payloads to VMS/NVR web endpoints
- Outbound connections from VMS/NVR systems to suspicious IPs
SIEM Query:
source="vms_logs" OR source="nvr_logs" AND (http_uri CONTAINS "deserialize" OR process="webservice" AND parent_process="unexpected")