Cyber Resilience

CVE-2023-28175

High

Published: 15 June 2023

Published
15 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0019 41.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28175 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Bosch Divar Ip 4000. Its CVSS base score is 7.1 (High).

Operationally, ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bosch
video management system
7.5 — 11.1.1
bosch
video management system viewer
7.5 — 11.1.1
bosch
divar ip 3000 firmware
7.5 — 8.0
bosch
divar ip 6000 firmware
11.1.1
bosch
divar ip 4000 firmware
11.1.1
bosch
divar ip 5000 firmware
9.0 — 11.1.1
bosch
divar ip 7000 r2 firmware
7.5 — 11.1.1
bosch
divar ip 7000 firmware
7.5 — 8.0
bosch
divar ip 7000 r3 firmware
10.1.1 — 11.1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-863 CWE-200

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

addresses: CWE-863 CWE-200

Ensures authorization decisions for external system use are correctly implemented and enforced.

addresses: CWE-863 CWE-200

It assists users in evaluating and applying correct authorization decisions when sharing information with external partners.

addresses: CWE-200 CWE-863

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

addresses: CWE-863 CWE-200

Drives review and correction of flawed authorization logic applied to organizational data.

addresses: CWE-200 CWE-863

Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.

addresses: CWE-863 CWE-200

Restricts processing strictly to documented authorized uses, mitigating incorrect authorization decisions for sensitive data.

addresses: CWE-863 CWE-200

Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken.

References