CVE-2015-6970

Vulnerability

The web interface of Bosch Security Systems NBN-498 Dinion2X Day/Night IP Cameras with H.264 Firmware 4.54.0026 is susceptible to XML injection [1]. The vulnerability resides in the rcp.xml endpoint, where the idstring parameter is not properly sanitized, allowing an attacker to inject arbitrary XML content [1]. No authentication or special configuration is required to access this endpoint, as the web interface for live feed and administration is exposed by default.

Exploitation

An attacker requires only network access to the camera's web interface (port 80/443). By crafting a malicious request to /rcp.xml with a specially crafted idstring parameter containing XML metacharacters or tags, the injected XML is processed by the server-side parser [1]. The exploit does not require prior authentication or user interaction. According to the public exploit [1], the attack can be performed using standard HTTP GET requests from a browser or scripting tool.

Impact

Successful XML injection can lead to disclosure of sensitive configuration information, manipulation of camera settings, or potential server-side request forgery, depending on how the server processes the injected XML [1]. The attacker may be able to read internal data structures or modify camera behavior, achieving a breach of confidentiality and integrity with the application's level of privilege.

Mitigation

As of the referenced exploit publication date (September 2015) and the CVE publication date (February 2020), no official patch or fix from Bosch Security Systems has been identified in the available references [1]. Users should isolate affected cameras on segmented networks, restrict access to the web interface via firewall rules, and disable the management interface if not required. If a newer firmware version exists, it should be applied after verifying that the vulnerability is addressed. The camera is not listed on CISA's KEV as of the CVE publication date.