Vulnerability identifier: #VU9699

Vulnerability risk: Medium

CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-9966

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pelco VideoXpert Enterprise
Hardware solutions / Firmware

Vendor: Schneider Electric

Description
The vulnerability allows a remote authorized  attacker to gain elevated privileges on the target system.

The weakness exists due to improper access control. A remote attacker can replace certain files, obtain system privileges and execute the inserted code at an elevated privilege level.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 2.1.

Vulnerable software versions

Pelco VideoXpert Enterprise: All versions

---

External links
http://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Id=864264...

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.