This vulnerability arises from a CORS misconfiguration (CWE-942) in the REST API of Network Optix Nx Witness VMS prior to version 6.1.2 when running in Standard security mode on Linux and Windows. The misconfiguration allows an unauthenticated attacker to exploit cross-origin requests to steal session tokens from authenticated users, enabling administrator account takeover. The High security mode does not exhibit this vulnerability. The vendor's fix in version 6.1.2 sets Access-Control-Allow-Credentials to false by default in Standard mode, mitigating the risk. A workaround is available by manually setting this header to false via the REST API.

Successful exploitation allows an unauthenticated remote attacker to steal session tokens of authenticated users and gain administrator-level control over the Nx Witness VMS system. This compromises confidentiality, integrity, and availability of the system. The vulnerability affects both Linux and Windows deployments running in Standard security mode. High security mode installations are not impacted.

A fix is available by updating Nx Witness VMS to version 6.1.2 or later, which corrects the CORS policy by setting Access-Control-Allow-Credentials to false in the default Standard security configuration. For existing installations that cannot immediately update, a workaround is to set Access-Control-Allow-Credentials to false manually via the REST API PATCH /rest/v2/system/settings with the body {"supportedOrigins": "null"}. Alternatively, selecting High security mode during initial setup avoids this vulnerability. No other mitigation steps are indicated by the vendor.