BOSCH-SA-464066-BT: BVMS Operator Client application or the VIDEOJET Decoder VJD-7513 may receive an *unencrypted* live-stream from a camera which allows a man-in-the-middle attacker to compromise the confidential video streams.This happens only in combination with cameras of platform CPP13 or CPP14.x when encrypted UDP connection is configured. Please be aware that encrypted UDP connection is default setting  («Secure Connection» setting) for all cameras added into BVMS.Decoders used in BVMS system are only affected when BVMS version is higher or equal to 10.1.0 as older BVMS versions do not support UDP connection between camera and decoder. Standalone decoders are only affected, when the Secure flag and UDP multicast is selected for camera streams.For more details please see the description of the vulnerability in this advisory.Bosch rates this vulnerability with CVSSv3.1 base score 7.4 (High), where the final rating depends on the customer's environment.Customers are strongly advised to update the software to the fixed versions or consider listed mitigations.


https://psirt.bosch.com/security-advisories/bosch-sa-464066-bt.html