Connect with us

Hi, what are you looking for?



Serious Vulnerabilities Expose Honeywell Surveillance Systems to Attacks

Some of Honeywell’s MAXPRO video surveillance systems are affected by serious vulnerabilities that can be exploited by hackers to take complete control of the system, a researcher has discovered.

Some of Honeywell’s MAXPRO video surveillance systems are affected by serious vulnerabilities that can be exploited by hackers to take complete control of the system, a researcher has discovered.

Researcher Joachim Kerschbaumer told SecurityWeek that he reported his findings to Honeywell in September 2019 and the vendor released patches after roughly 2 months, which he says is a fast response time compared to other physical security systems manufacturers he has contacted to report flaws.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) published an advisory this week for the vulnerabilities found by Kerschbaumer. CISA learned about the security holes from Honeywell, and Kerschbaumer says the agency’s description of the vulnerabilities is not entirely accurate.

Kerschbaumer identified two vulnerabilities in Honeywell’s MAXPRO video management system (VMS) and network video recorder (NVR) products. Specifically, they impact HNMSWVMS and HNMSWVMSLT VMS products, and XE, SE, PE and MPNVRSWXX NVR products. MAXPRO VMS 560 Build 595 T2-Patch and MAXPRO NVR 5.6 Build 595 T2-Patch address the vulnerabilities. Honeywell has shared information about the vulnerabilities in its SN 2019-10-25 01 security notice.

Vulnerabilities found in Honeywell surveillance systems

One of the weaknesses, CVE-2020-6959, has been described as a deserialization issue that can lead to unauthenticated remote code execution. The second flaw, CVE-2020-6960, is a SQL injection vulnerability that can also be exploited remotely without authentication.

The researcher has provided the following descriptions for the vulnerabilities:

CVE-2020-6959: A default installation of MAXPRO starts a Windows service that hosts a service that uses .NET Remoting for communication. Due to the nature of .NET Remoting and the unsafe hardcoded configuration of this service, an attacker can create custom payloads that use the .NET BinaryFormatter with available open source tools.

Advertisement. Scroll to continue reading.

As soon as the service receives the payload, it deserializes it no matter whether the data is of the type the service expects. There is no form of authentication or preventative measures in place in order to avoid this. This can be exploited in order to execute arbitrary code with the permissions of the service that executes the payload. In this case the service runs with SYSTEM-level permissions by default.

CVE-2020-6960: A default installation of MAXPRO starts a service called “TrinityService” (which contains a broad range of services necessary for the system). The service was created using Microsoft’s Windows Communication Foundation (WCF) and hosted an endpoint using Microsoft’s proprietary binary SOAP protocol. This service contained a service method that accepted a generic “Request-Object”.

By supplying a specially crafted object, an attacker can provide arbitrary SQL statements as parameter that immediately get executed by the service, resulting in full control over the database. By default the service user is allowed to reconfigure the default installation of Microsoft’s SQL Server, which allows enabling additional (available by default) SQL Server features that allow an attacker to execute code with SYSTEM-level permissions. No authentication is needed to call this method remotely.

Both vulnerabilities can give an attacker complete control over the targeted system with SYSTEM-level privileges. This would allow them, among other things, to access video feeds and change the system’s configuration, Kerschbaumer said.

The CVSS score assigned by CISA to the vulnerabilities puts them in the critical severity category, but Honeywell’s advisory rates them as high severity — CISA says attack complexity (AC) in the CVSS score calculation is low, while Honeywell says it’s high.

Kerschbaumer told SecurityWeek that the vulnerabilities are not particularly difficult to exploit — he has demonstrated exploitation using freely available tools — but in most cases an attack requires network access to the targeted systems, as the ports they use are typically not exposed to the internet.

Kerschbaumer said these vulnerabilities were identified as part of a larger research project into video management systems and access control systems. The project targeted over 40 products and resulted in the discovery of more than 60 vulnerabilities.

Related: Only Few Organizations Patched Recent Honeywell SCADA Flaw

Related: Several Flaws Patched in Honeywell Controllers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.