Commend, the Austria-based communication solutions provider, has issued a security alert regarding critical vulnerabilities affecting their WS203VICM video door station. These vulnerabilities, with respective CVE identifiers (CVE-2024-22182, CVE-2024-21767, CVE-2024-23492), expose the device to various risks, including argument injection, improper access control, and weak password encoding. The vulnerabilities collectively possess a high CVSS v3 score of 9.4, indicating the severity of potential exploitation.
The affected product, WS203VICM version 1.7 and prior, is deployed globally in commercial facilities. Aarón Flecha Menéndez of S21sec reported these vulnerabilities to CISA, emphasizing the need for immediate attention. Although the WS203VICM is an end-of-life product, Commend has released a new firmware version, WS-CM 2.0, to address the first two vulnerabilities. Users are advised to follow specific instructions provided by Commend for firmware installation.
CISA recommends defensive measures to minimize the risk of exploitation, including network exposure reduction, firewall implementation, and secure remote access methods. The agency also advises organizations to conduct impact analysis and risk assessments before deploying defensive measures. No known public exploitation targeting these vulnerabilities has been reported to CISA at the time of publication.
