Description
Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 contains an authentication bypass vulnerability in the master service that allows unauthenticated remote attackers to execute arbitrary commands with administrative privileges. Attackers can invoke exposed interface methods over the remote service to bypass authentication and achieve remote code execution on the underlying operating system.
Published: 2026-04-03
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via unauthenticated authentication bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an authentication bypass in the master service of Hirschmann Industrial HiVision. An attacker who can reach the device over the network can exploit exposed interface methods that ignore authentication checks, allowing the execution of arbitrary commands with administrative privileges on the underlying operating system. This flaw represents a classic implementing‐time unauthenticated remote code execution weakness (CWE‑287).

Affected Systems

Belden Hirschmann Industrial HiVision devices running firmware versions earlier than 06.0.07 and 07.0.03 are affected. Attackers can target these versions without any credentials and gain full system control.

Risk and Exploitability

With a CVSS base score of 9.3 the flaw is considered critical. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, yet the exploit path requires only network access to the exposed service and no local privileges. The lack of authentication enables attackers to reach the vulnerable interface from remote hosts, making exploitation highly plausible for an adversary with network connectivity to the device.

Generated by OpenCVE AI on April 3, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware upgrade to at least version 06.0.07 or 07.0.03 as released by the vendor.
  • Restrict network traffic to the device using firewall rules, allowing only trusted management hosts to communicate with the master service.
  • Disable the master service or any exposed interface that is not required for normal operation.
  • Monitor device logs for abnormal command execution or authentication attempts and investigate immediately.

Generated by OpenCVE AI on April 3, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Belden
Belden hirschmann Industrial Hivision
Vendors & Products Belden
Belden hirschmann Industrial Hivision

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 contains an authentication bypass vulnerability in the master service that allows unauthenticated remote attackers to execute arbitrary commands with administrative privileges. Attackers can invoke exposed interface methods over the remote service to bypass authentication and achieve remote code execution on the underlying operating system.
Title Hirschmann Industrial HiVision Authentication Bypass Remote Code Execution
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Belden Hirschmann Industrial Hivision
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:02:03.320Z

Reserved: 2026-04-03T19:47:32.576Z

Link: CVE-2017-20237

cve-icon Vulnrichment

Updated: 2026-04-06T18:00:55.475Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T21:17:07.103

Modified: 2026-04-07T13:20:55.200

Link: CVE-2017-20237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:22:12Z

Weaknesses