CVE-2019-6958

Improper Access Control for Bosch Video Systems, PSIM and Access Control Systems

Description

A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as "CWE-284: Improper Access Control." This vulnerability, for example, allows a potential attacker to delete video or read video data.

Remediation

Solution:

  • The recommended approach is to update the software to a fixed version as soon as possible. Until a fixed software version is installed, the mitigation approaches firewalling, and IP filtering can be utilized. For further informatation please check the published security advisory.

Category

9.1
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.34%
Vendor Advisory boschsecurity.com
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf mitigation vendor advisory

Frequently Asked Questions

What is the severity of CVE-2019-6958?
CVE-2019-6958 has been scored as a critical severity vulnerability.
How to fix CVE-2019-6958?
To fix CVE-2019-6958: The recommended approach is to update the software to a fixed version as soon as possible. Until a fixed software version is installed, the mitigation approaches firewalling, and IP filtering can be utilized. For further informatation please check the published security advisory.
Is CVE-2019-6958 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2019-6958 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.