CVE-2021-23862: 
Bosch Video Recording Manager (VRM) vulnerability analysis and mitigation

CVE-2021-23862 is a high-severity vulnerability affecting various Bosch security products, including VRM, DIVAR IP, BVMS with VRM, and VIDEOJET decoder (VJD-7513 and VJD-8000). The vulnerability was disclosed on December 8, 2021, with a CVSS v3.1 base score of 7.2 (High) (Bosch PSIRT).

The vulnerability is classified as an Improper Input Validation (CWE-20) issue. When exploited, a crafted configuration packet sent by an authenticated administrative user can be used to execute arbitrary commands in system context. The vulnerability has been assigned a CVSS Vector String of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity, requiring high privileges, and potentially resulting in high impacts to confidentiality, integrity, and availability (Bosch PSIRT).

The successful exploitation of this vulnerability could lead to complete system compromise, allowing an authenticated administrative user to execute arbitrary commands with system-level privileges. This could potentially result in full control over the affected system, impacting confidentiality, integrity, and availability of the system (Bosch PSIRT).

Bosch has released software updates to address this vulnerability across their affected product line. Users are strongly advised to update to the fixed versions. For BVMS systems, various patches are available depending on the version (e.g., BVMS11001025_Patch_SecurityIssue_350403.zip for version 11.0.0.1025). For VRM systems, updated installers are available (e.g., MasterInstaller_VRM_04.01.0012_64-Bit.zip for version 04.00.0070) (Bosch PSIRT).