A critical security vulnerability which can lead to unauthenticated remote code execution has been discovered for the Genetec Security Center product line. This vulnerability has been disclosed privately by a third party organization hired by Genetec to conduct penetration tests on Security Center. There is currently no evidence of this vulnerability being exploited to attack Security Center systems.
This vulnerability affects Security Center parsing of messages received from the network. An exploit can be achieved even though the attacker is not authenticated in Security Center. The exploit could allow the execution of arbitrary code and take control of the operating system hosting the Security Center role. The CVSS v3.0 base score for this vulnerability is 9.0 (Critical).
We have issued security patches (cummulative updates) for all affected versions and recommend that our customers apply the appropriate patch as soon as possible.
If you are unable to apply the patch (cummulative update) immediately, an alternative, short-term option would be to disconnect Security Center from the network until you can apply the patch, which should be done as soon as possible.
The patch is applicable to client and server components of Security Center. Note that the patch does not impact performance. All Cloud products affected by this vulnerability have already been patched.
Affected products and patch release version