CVE-2019-13523

Name of the Vulnerable Software and Affected Versions Honeywell Performance IP Cameras versions HBD3PR2, H4D3PRV3, HED3PR3, H4D3PRV2, HBD3PR1, H4W8PR2, HBW8PR2, H2W2PC1M, H2W4PER3, H2W2PER3, HEW2PER3, HEW4PER3B, HBW2PER1, HEW4PER2, HEW4PER2B, HEW2PER2, H4W2PER2, HBW2PER2, H4W2PER3, HPW2P1 Honeywell Performance Series NVRs versions HEN08104, HEN08144, HEN081124, HEN16104, HEN16144, HEN16184, HEN16204, HEN162244, HEN16284, HEN16304, HEN16384, HEN32104, HEN321124, HEN32204, HEN32284, HEN322164, HEN32304, HEN32384, HEN323164, HEN64204, HEN64304, HEN643164, HEN643324, HEN643484, HEN04103, HEN04113, HEN04123, HEN08103, HEN08113, HEN08123, HEN08143, HEN16103, HEN16123, HEN16143, HEN16163, HEN04103L, HEN08103L, HEN16103L, HEN32103L

Description The integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network.

Recommendations For Honeywell Performance IP Cameras, update the device to a version that includes the fix for this issue. For Honeywell Performance Series NVRs, update the device to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the integrated web server to minimize the risk of exploitation. Avoid using the affected devices on untrusted networks until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.