Remote Code Execution in Lifesize Icon Video Conferencing Systems
CVE-2019-3702

8.8HIGH

Key Information:

Vendor

Lifesize

Status
Icon 300 Firmware
Vendor
CVE Published:
13 May 2019

What is CVE-2019-3702?

A vulnerability in the DNS Query Web UI of Lifesize Icon systems allows remote authenticated attackers to execute arbitrary commands. This is achieved by sending a specially crafted DNS Query address within a JSON API request, posing serious security risks to the integrity and confidentiality of impacted systems. Organizations should prioritize patching affected products to mitigate the threat.

References

https://www.sva.de/solutions/it-security.html
x_refsource_MISC
https://www.lifesize.com/en/video-conferencing-cameras
x_refsource_MISC
https://atomic111.github.io/article/lifesize-icon-remote-...
x_refsource_MISC

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.