Vulnerability DatabaseCVE-2020-6768

CVE-2020-6768:
Bosch Video Management System (BVMS) vulnerability analysis and mitigation

Overview

A path traversal vulnerability (CVE-2020-6768) was discovered in the Bosch Video Management System (BVMS) NoTouch deployment. The vulnerability was identified during internal security tests and disclosed on January 29, 2020. This security flaw affects multiple versions of Bosch BVMS and BVMS Viewer (versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329, and 7.5 and older), as well as Bosch DIVAR IP 3000, DIVAR IP 7000, and DIVAR IP all-in-one 5000 systems with vulnerable BVMS versions installed (Bosch Advisory).

Technical details

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and received a CVSS v3.1 Base Score of 8.6 (High). The attack vector is network-based, requiring low complexity and no authentication or user interaction. The vulnerability exists in the BVMS service, affecting the entire file system of the server operating system where BVMS server is running. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (Bosch Advisory, NVD).

Impact

If exploited, an unauthenticated attacker without local shell access to a BVMS Central Server system can fetch arbitrary data from the file system of the Central Server computer. Under specific circumstances, the attack can also be executed from the internet, potentially leading to critical confidentiality impacts (Bosch Advisory).

Mitigation and workarounds

Bosch recommends updating to fixed software versions as the primary mitigation strategy. If immediate updates aren't possible, temporary workarounds include deactivating the BVMS NoTouch deployment service via the Central Server application configuration file. Additionally, devices should not be exposed directly to the internet or other insecure networks. Specific patches are available for different versions: BVMS10001225_Patch_SecurityIssue_211404_241463.zip for version 10.0, BVMS900827_Patch_SecurityIssue_211404_241463.zip for version 9.0, and BVMS800329_Patch_SecurityIssue_211404_241463.zip for version 8.0 (Bosch Advisory).

Additional resources

Source: This report was generated using AI

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2019-11684	CRITICAL	9.8	Bosch Video Recording Manager (VRM)	cpe:2.3:a:bosch:video_management_system	No	Yes	Feb 26, 2021
CVE-2020-6785	HIGH	7.8	Bosch Video Management System (BVMS)	cpe:2.3:a:bosch:video_management_system	No	Yes	Mar 25, 2021
CVE-2023-28175	HIGH	7.7	Bosch Video Management System (BVMS)	cpe:2.3:a:bosch:video_management_system	No	No	Jun 15, 2023
CVE-2020-6768	HIGH	7.5	Bosch Video Management System (BVMS)	cpe:2.3:a:bosch:video_management_system	No	Yes	Feb 07, 2020
CVE-2020-6767	MEDIUM	6.5	Bosch Video Management System (BVMS)	cpe:2.3:a:bosch:video_management_system	No	Yes	Feb 06, 2020

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2020-6768: Bosch Video Management System (BVMS) vulnerability analysis and mitigation