Security Experts:

Connect with us

Hi, what are you looking for?



Serious Vulnerabilities Expose Honeywell Surveillance Systems to Attacks

Some of Honeywell’s MAXPRO video surveillance systems are affected by serious vulnerabilities that can be exploited by hackers to take complete control of the system, a researcher has discovered.

Some of Honeywell’s MAXPRO video surveillance systems are affected by serious vulnerabilities that can be exploited by hackers to take complete control of the system, a researcher has discovered.

Researcher Joachim Kerschbaumer told SecurityWeek that he reported his findings to Honeywell in September 2019 and the vendor released patches after roughly 2 months, which he says is a fast response time compared to other physical security systems manufacturers he has contacted to report flaws.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) published an advisory this week for the vulnerabilities found by Kerschbaumer. CISA learned about the security holes from Honeywell, and Kerschbaumer says the agency’s description of the vulnerabilities is not entirely accurate.

Kerschbaumer identified two vulnerabilities in Honeywell’s MAXPRO video management system (VMS) and network video recorder (NVR) products. Specifically, they impact HNMSWVMS and HNMSWVMSLT VMS products, and XE, SE, PE and MPNVRSWXX NVR products. MAXPRO VMS 560 Build 595 T2-Patch and MAXPRO NVR 5.6 Build 595 T2-Patch address the vulnerabilities. Honeywell has shared information about the vulnerabilities in its SN 2019-10-25 01 security notice.

Vulnerabilities found in Honeywell surveillance systems

One of the weaknesses, CVE-2020-6959, has been described as a deserialization issue that can lead to unauthenticated remote code execution. The second flaw, CVE-2020-6960, is a SQL injection vulnerability that can also be exploited remotely without authentication.

The researcher has provided the following descriptions for the vulnerabilities:

CVE-2020-6959: A default installation of MAXPRO starts a Windows service that hosts a service that uses .NET Remoting for communication. Due to the nature of .NET Remoting and the unsafe hardcoded configuration of this service, an attacker can create custom payloads that use the .NET BinaryFormatter with available open source tools.

As soon as the service receives the payload, it deserializes it no matter whether the data is of the type the service expects. There is no form of authentication or preventative measures in place in order to avoid this. This can be exploited in order to execute arbitrary code with the permissions of the service that executes the payload. In this case the service runs with SYSTEM-level permissions by default.

CVE-2020-6960: A default installation of MAXPRO starts a service called “TrinityService” (which contains a broad range of services necessary for the system). The service was created using Microsoft’s Windows Communication Foundation (WCF) and hosted an endpoint using Microsoft’s proprietary binary SOAP protocol. This service contained a service method that accepted a generic “Request-Object”.

By supplying a specially crafted object, an attacker can provide arbitrary SQL statements as parameter that immediately get executed by the service, resulting in full control over the database. By default the service user is allowed to reconfigure the default installation of Microsoft’s SQL Server, which allows enabling additional (available by default) SQL Server features that allow an attacker to execute code with SYSTEM-level permissions. No authentication is needed to call this method remotely.

Both vulnerabilities can give an attacker complete control over the targeted system with SYSTEM-level privileges. This would allow them, among other things, to access video feeds and change the system’s configuration, Kerschbaumer said.

The CVSS score assigned by CISA to the vulnerabilities puts them in the critical severity category, but Honeywell’s advisory rates them as high severity — CISA says attack complexity (AC) in the CVSS score calculation is low, while Honeywell says it’s high.

Kerschbaumer told SecurityWeek that the vulnerabilities are not particularly difficult to exploit — he has demonstrated exploitation using freely available tools — but in most cases an attack requires network access to the targeted systems, as the ports they use are typically not exposed to the internet.

Kerschbaumer said these vulnerabilities were identified as part of a larger research project into video management systems and access control systems. The project targeted over 40 products and resulted in the discovery of more than 60 vulnerabilities.

Related: Only Few Organizations Patched Recent Honeywell SCADA Flaw

Related: Several Flaws Patched in Honeywell Controllers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.