Medium Vulnerability – BOSCH IP Camera

SEVERITY: MEDIUM

Redinent Researchers discovered Information Disclosure Vulnerability in BOSCH IP Camera.

Technical Details: An information disclosure can be triggered in Bosch’s flagship product Bosch CCTV Camera through a specially crafted HTTP request. The vulnerability exists in one of the parameters in a specified GET request triggered by the cameras.

Affected Versions
Product Name Affected Versions

Bosch Camera Firmware on: CPP14
Version(s): <= 8.80

Bosch Camera Firmware on: CPP13

Version(s): <= 8.48

Bosch Camera Firmware on: CPP7.3

Version(s): <= 7.86

Bosch Camera Firmware on: CPP7

Version(s): <= 7.86

Bosch Camera Firmware on: CPP6

Version(s): <= 7.86

Bosch Camera Firmware on: CPP4
Version(s): <= 7.10Bosch has released a version to fix the vulnerability.

BOSCH Advisory: https://psirt.bosch.com/security-advisories/bosch-sa-839739-bt.html

CVE-2022-41677

The coordinated disclosure timeline:

  1. September 14 2022 – Vulnerability discovered by Redinent researchers
  2. September 16 2022 – Vulnerability reported by Redinent to CERT India
  3. November 4 2022 – OEM acknowledged the vulnerability
  4. June 29 2023 – CVE assigned. OEM releases global advisory