Commend fixes issues in WS203VICM after product end-of-life

Commend, a notable vendor in the critical infrastructure sector, has recently issued an alert regarding critical vulnerabilities in its WS203VICM video door station. These vulnerabilities, if exploited, could significantly compromise the security of the affected systems by allowing attackers to obtain sensitive information or cause the system to forcefully restart. The vulnerabilities are exploitable remotely, presenting a low attack complexity, and have raised concerns due to their potential impact on commercial facilities worldwide.

The vulnerabilities impacting WS203VICM are as follows:

• CVE-2024-21767 (Improper Access Control) (CVSS score 9.4), this flaw enables attackers to bypass access controls through malicious requests.
• CVE-2024-22182 (Argument Injection) (CVSS score 8.6), allows remote attackers to send crafted messages to the web server, causing the system to restart.
• CVE-2024-23492 (Weak Encoding for Password) (CVSS score of 5.7), this vulnerability involves the transmission of credentials in a weakly encoded format, susceptible to interception.

The successful exploitation of these vulnerabilities could lead to sensitive information disclosure or cause the WS203VICM system to restart unexpectedly. These vulnerabilities pose a significant risk, particularly in environments where the WS203VICM video door station is deployed across critical commercial facilities sectors worldwide.

Affected Products are WS203VICM versions 1.7 and prior, with remediation to upgrade to firmware version WS-CM 2.0.

Despite being an end-of-life product, Commend has proactively addressed the first two vulnerabilities by releasing a new firmware version (WS-CM 2.0). Users are urged to upgrade their systems by downloading the "Terminals Software Package" from Commend's web portal and following the provided instructions for firmware installation through the "IP Station Config" program.