CVE-2002-0627
Description
Unicode-encoded requests bypass authentication and allow file disclosure on Polycom ViewStation web servers before version 7.2.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unicode-encoded requests bypass authentication and allow file disclosure on Polycom ViewStation web servers before version 7.2.4.
Vulnerability
The web server component of Polycom ViewStation video conferencing devices prior to version 7.2.4 is vulnerable to an authentication bypass that allows reading arbitrary files. The flaw is triggered by sending specially crafted Unicode-encoded HTTP requests. The web server fails to properly decode or sanitize such requests, enabling access to protected resources without valid credentials.
Exploitation
An unauthenticated attacker with network access to the target ViewStation web server can exploit this by sending a GET request containing Unicode-encoded characters (e.g., %c0%ae%c0%ae for ..) to traverse directories and access files outside the web root. The server processes the request as if it were valid, bypassing the normal authentication checks [1].
Impact
Successful exploitation allows a remote, unauthenticated attacker to read arbitrary files on the device. This can lead to disclosure of sensitive information such as configuration files, passwords, or other proprietary data. The attack compromises confidentiality but does not allow direct modification or execution of code.
Mitigation
Polycom released firmware version 7.4.0 (and later) containing a fix. The vendor advisory [1] confirms the fix in version 7.2.4 or later (likely a typo; version 7.4.0 is explicitly listed). No workaround is mentioned. Devices running earlier firmware should be upgraded immediately.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16cpe:2.3:h:polycom:viewstation_128:6.5.1:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:h:polycom:viewstation_128:6.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_128:7.2:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_h.323:6.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_h.323:7.2:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_sp_384:6.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_sp_384:7.2:*:*:*:*:*:*:*
cpe:2.3:h:polycom:viewstation_512:6.5.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:h:polycom:viewstation_512:6.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_512:7.2:*:*:*:*:*:*:*
cpe:2.3:h:polycom:viewstation_dcp:6.5.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:h:polycom:viewstation_dcp:6.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_dcp:7.2:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_fx_vs4000:4.1.5:*:*:*:*:*:*:*
cpe:2.3:h:polycom:viewstation_mp:6.5.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:h:polycom:viewstation_mp:6.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_mp:7.2:*:*:*:*:*:*:*
- (no CPE)range: <7.2.4
cpe:2.3:h:polycom:viewstation_v.35:6.5.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:h:polycom:viewstation_v.35:6.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:polycom:viewstation_v.35:7.2:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.ciac.org/ciac/bulletins/m-123.shtmlnvdPatchVendor Advisory
- www.iss.net/security_center/static/9348.phpnvdVendor Advisory
- www.securityfocus.com/bid/5632nvdVendor Advisory
- bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jspnvd
- www.polycom.com/common/pw_item_show_doc/0%2C%2C1444%2C00.pdfnvd
News mentions
0No linked articles in our index yet.