CVE-2022-32540 is a high-severity vulnerability affecting Bosch Video Management System (BVMS) versions 10.1.1, 11.0, and 11.1.0, as well as VIDEOJET Decoder VJD-7513 versions 10.23 and 10.30. The vulnerability arises from an information disclosure flaw (CWE-200) in the Operator Client application when using UDP encryption. Specifically, if the target system contains cameras based on Bosch's CPP13 or CPP14 platforms running firmware version 8.x, a man-in-the-middle (MitM) attacker can intercept and compromise confidential video streams. This occurs because the encryption or protection mechanisms for UDP video streams are insufficient or flawed, allowing unauthorized actors to eavesdrop on sensitive video data. The vulnerability does not require authentication or user interaction but does require network access to the video streams. The CVSS v3.0 score is 7.4, reflecting high impact on confidentiality and integrity, though no impact on availability. The attack complexity is high, indicating some difficulty in exploitation, but the lack of required privileges or user interaction increases the risk. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, suggesting either pending fixes or mitigations. This vulnerability is particularly critical for environments relying on secure video surveillance, such as critical infrastructure, government facilities, and enterprises using Bosch BVMS for security monitoring.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of video surveillance data. Compromise of video streams could lead to exposure of sensitive operational information, privacy violations, and potential facilitation of further attacks by revealing security postures or personnel movements. Sectors such as transportation, energy, public safety, and government agencies that deploy Bosch BVMS and VIDEOJET decoders are especially vulnerable. The ability for an attacker to perform MitM attacks on UDP streams means that network segmentation and encryption weaknesses could be exploited, particularly in environments with insufficient network controls or where video streams traverse untrusted networks. The exposure could undermine trust in security monitoring systems and lead to regulatory compliance issues under GDPR due to unauthorized disclosure of personal data captured by cameras. Additionally, the integrity impact could allow attackers to manipulate or spoof video feeds, potentially disrupting security operations.

Organizations should immediately assess their deployment of Bosch BVMS and VIDEOJET Decoder products to identify affected versions and camera platforms (CPP13/CPP14 with firmware 8.x). Network administrators should enforce strict network segmentation to isolate video management traffic and restrict access to trusted devices only. Deploying VPNs or secure tunnels for video stream transmission can mitigate MitM risks on UDP streams. Monitoring network traffic for unusual patterns or unauthorized interception attempts is recommended. Where possible, upgrading camera firmware to versions beyond 8.x or applying vendor patches (once available) is critical. If patches are not yet released, consider disabling UDP encryption or switching to alternative secure transport protocols that are not vulnerable. Regularly review and update firewall rules to block unauthorized access to video management ports. Additionally, organizations should conduct security audits of their video surveillance infrastructure and train staff on recognizing potential interception threats. Coordination with Bosch support for timely updates and advisories is advised.