CISA reports critical security flaws in SystemK's NVR 504/508/516
Take action: If you are using SystemK NVR systems, isolate them in a trusted network and not accessible from the internet. Then contact the vendor to check for possible patches.
Learn More
CISA unveils critical security flaws in SystemK's NVR 504/508/516. SystemK, a renowned vendor in the security sector, offers the NVR 504/508/516 as part of its network video recording solutions. These devices contain a significant security loophole.
The vulnerability, identified as Command Injection could enable attackers to seize complete control of the system with root privileges. The affected models and their respective versions are:
- NVR 504: 2.3.5SK.30084998
- NVR 508: 2.3.5SK.30084998
- NVR 516: 2.3.5SK.30084998
This flaw, tracked as CVE-2023-7227 (CVSS score 9.8) on the CVSS v3 scale stems from improper handling of special elements in commands within the dynamic domain name system (DDNS) settings.
SystemK, headquartered in Japan and deployed globally, particularly in commercial facilities, has yet to collaborate with CISA on addressing this issue. In light of this, CISA advises users to adopt stringent security measures. These include limiting network exposure, isolating control systems, and employing secure communication methods like VPNs.
Despite no reports of public exploitation to date, organizations are urged to follow proper risk assessment protocols and consult CISA's guidance on industrial control systems security, available on the ICS webpage at cisa.gov/ics.
