Description
Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information.
Published: 2026-01-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Patch
AI Analysis

Impact

A-Plus Video Technologies NVR firmware contains a flaw that allows remote attackers to reach an unsecured debug page without authentication. By accessing this page, an attacker can view device status information, which may include configuration details, network layout, or other sensitive data. The vulnerability is classified under CWE‑497, indicating that sensitive information can be read without proper controls.

Affected Systems

A-Plus Video Technologies models AP‑BS404, AP‑BS408, AP‑BS416, AP‑RM816, AP‑RM832, AP‑RM832P, AP‑RM864, and AP‑RM864P are affected. Firmware versions earlier than 2.2.0 are vulnerable; devices running 2.2.0 or later include the fix.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at the time of analysis. The flaw is not listed in CISA’s KEV catalog. Attackers can exploit it by sending HTTP requests to the network interface of the NVR and retrieving the debug page, assuming the device is exposed to the Internet or an attacker’s local network.

Generated by OpenCVE AI on April 18, 2026 at 07:02 UTC.

Remediation

Vendor Solution

Update firmware to version 2.2.0 or later.

OpenCVE Recommended Actions

  • Update the firmware to version 2.2.0 or later, ensuring the debug page is removed or protected by authentication.
  • If updating is not immediately possible, lock down the NVR’s network access by placing it behind a firewall and blocking the ports used by the debug interface.
  • Disable or remove any debug functionality from the device configuration to eliminate the exposure, and monitor incoming traffic for attempts to access the debug page.

Generated by OpenCVE AI on April 18, 2026 at 07:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 04:00:00 +0000

Type Values Removed Values Added
Description Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information.
Title A-Plus Video Technologies|NVR - Sensitive Data Exposure
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-01-12T15:54:38.969Z

Reserved: 2026-01-12T03:07:23.341Z

Link: CVE-2026-0853

cve-icon Vulnrichment

Updated: 2026-01-12T15:54:35.448Z

cve-icon NVD

Status : Deferred

Published: 2026-01-12T04:15:46.840

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses