CISA has released an advisory on deserialization of untrusted data and SQL injection vulnerabilities in Honeywell MAXPRO VMS & NVR. Multiple products and versions of these products are affected. Successful exploitation of these vulnerabilities could result in elevation of privileges, cause a denial-of-service condition, or allow unauthenticated remote code execution. Honeywell recommends users update VMS 560 Build 595 T2-Patch for affected VMS systems, and NVR 5.6 Build 595 T2-Patch for affected NVR systems. CISA also recommends a series of measures to mitigate the vulnerability. Read the advisory at CISA.
Thank you to everyone who helped make H2OSecCon Spring 2024 happen! As noted during the event, WaterISAC intends to conduct another H2OSecCon this year, so stay tuned for updates!