Skip to main content

CVE-2022-32540: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Bosch BVMS

High
VulnerabilityCVE-2022-32540cvecve-2022-32540cwe-200
Published: Fri Sep 30 2022 (09/30/2022, 16:38:54 UTC)
Source: CVE
Vendor/Project: Bosch
Product: BVMS

Description

Information Disclosure in Operator Client application in BVMS 10.1.1, 11.0 and 11.1.0 and VIDEOJET Decoder VJD-7513 versions 10.23 and 10.30 allows man-in-the-middle attacker to compromise confidential video stream. This is only applicable for UDP encryption when target system contains cameras with platform CPP13 or CPP14 and firmware version 8.x.

AI-Powered Analysis

AILast updated: 07/04/2025, 10:26:50 UTC

Technical Analysis

CVE-2022-32540 is a high-severity vulnerability affecting Bosch Video Management System (BVMS) versions 10.1.1, 11.0, and 11.1.0, as well as VIDEOJET Decoder VJD-7513 versions 10.23 and 10.30. The vulnerability arises from an information disclosure flaw (CWE-200) in the Operator Client application when using UDP encryption. Specifically, if the target system contains cameras based on Bosch's CPP13 or CPP14 platforms running firmware version 8.x, a man-in-the-middle (MitM) attacker can intercept and compromise confidential video streams. This occurs because the encryption or protection mechanisms for UDP video streams are insufficient or flawed, allowing unauthorized actors to eavesdrop on sensitive video data. The vulnerability does not require authentication or user interaction but does require network access to the video streams. The CVSS v3.0 score is 7.4, reflecting high impact on confidentiality and integrity, though no impact on availability. The attack complexity is high, indicating some difficulty in exploitation, but the lack of required privileges or user interaction increases the risk. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, suggesting either pending fixes or mitigations. This vulnerability is particularly critical for environments relying on secure video surveillance, such as critical infrastructure, government facilities, and enterprises using Bosch BVMS for security monitoring.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of video surveillance data. Compromise of video streams could lead to exposure of sensitive operational information, privacy violations, and potential facilitation of further attacks by revealing security postures or personnel movements. Sectors such as transportation, energy, public safety, and government agencies that deploy Bosch BVMS and VIDEOJET decoders are especially vulnerable. The ability for an attacker to perform MitM attacks on UDP streams means that network segmentation and encryption weaknesses could be exploited, particularly in environments with insufficient network controls or where video streams traverse untrusted networks. The exposure could undermine trust in security monitoring systems and lead to regulatory compliance issues under GDPR due to unauthorized disclosure of personal data captured by cameras. Additionally, the integrity impact could allow attackers to manipulate or spoof video feeds, potentially disrupting security operations.

Mitigation Recommendations

Organizations should immediately assess their deployment of Bosch BVMS and VIDEOJET Decoder products to identify affected versions and camera platforms (CPP13/CPP14 with firmware 8.x). Network administrators should enforce strict network segmentation to isolate video management traffic and restrict access to trusted devices only. Deploying VPNs or secure tunnels for video stream transmission can mitigate MitM risks on UDP streams. Monitoring network traffic for unusual patterns or unauthorized interception attempts is recommended. Where possible, upgrading camera firmware to versions beyond 8.x or applying vendor patches (once available) is critical. If patches are not yet released, consider disabling UDP encryption or switching to alternative secure transport protocols that are not vulnerable. Regularly review and update firewall rules to block unauthorized access to video management ports. Additionally, organizations should conduct security audits of their video surveillance infrastructure and train staff on recognizing potential interception threats. Coordination with Bosch support for timely updates and advisories is advised.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
bosch
Date Reserved
2022-06-07T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.0
State
PUBLISHED

Threat ID: 682cd0f71484d88663aeae45

Added to database: 5/20/2025, 6:59:03 PM

Last enriched: 7/4/2025, 10:26:50 AM

Last updated: 8/16/2025, 1:49:48 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats