CVE-2021-23859: 
Bosch Video Recording Manager (VRM) vulnerability analysis and mitigation

CVE-2021-23859 is a critical vulnerability discovered in Bosch Video Recording Manager (VRM) and related products, disclosed on December 8, 2021. The vulnerability allows an unauthenticated attacker to send a special HTTP request that causes a service crash, and in standalone VRM or BVMS with VRM installations, enables further unauthenticated commands to the service. The vulnerability affects multiple Bosch products including VRM, BVMS, DIVAR IP, APE, AEC, and BIS systems (Bosch Advisory).

The vulnerability is classified as CWE-703 (Improper Check or Handling of Exceptional Conditions) with a CVSS v3.1 Base Score of 9.1 (Critical). The attack vector is network-based, requires no privileges or user interaction, and has a significant impact on system integrity and availability. The vulnerability specifically affects TCP ports 40080-40099, and its severity varies depending on the product configuration, with some implementations having modified CVSS scores due to firewall protection (Bosch Advisory).

The vulnerability's impact varies across affected products. For standalone VRM installations, it allows both service disruption and unauthorized command execution with a Critical CVSS score of 9.1. For BVMS with VRM, the impact ranges from High (7.1) to Critical (9.1) depending on the version. Other products like APE have a High impact (7.5) while BIS and AEC have a Medium impact (5.5) limited to local denial of service (Bosch Advisory).

Bosch recommends updating affected products to their fixed versions. If immediate updates are not possible, a key mitigation strategy is to block connections to TCP ports 40080-40099 using firewalls, which prevents attackers from accessing the vulnerable interface. When protected by a firewall, the attack surface is limited to local signed-in users (Bosch Advisory).