Authenticated OS Command Injection in Bosch IP Cameras (CVE-2023-39509)

Summary

Improper input validation in the camera firmware lets an authenticated administrator run arbitrary operating-system commands directly on the camera. Because exploitation requires administrative rights, the practical risk centers on credential compromise, insider misuse, or a chained attack rather than a remote drive-by. A successful attack yields full control of the device, including the ability to repurpose it as a network foothold.

Affected products

Impact

Arbitrary command execution on the camera OS with full confidentiality, integrity, and availability impact, enabling persistent implants, pivoting into the surveillance network, or bricking the device. The high-privilege precondition lowers likelihood but the outcome is total device compromise, which is significant on cameras placed in sensitive or perimeter locations.

Remediation

Update affected cameras to fixed firmware (CPP13: 8.90.0037 or later; CPP14: 9.00.0210 or later) and reboot after the update completes. Enforce strong, unique administrator credentials, disable unused admin accounts, and avoid following untrusted links while an active camera management session is open. Uniqcli Security can identify CPP13/CPP14 devices in your estate, schedule the firmware rollout with post-update reboots, and audit admin-account hygiene so the authentication precondition stays intact.

Sources

• https://psirt.bosch.com/security-advisories/bosch-sa-638184-bt.html
• https://github.com/advisories/GHSA-pj43-x92m-gprh
• https://nvd.nist.gov/vuln/detail/CVE-2023-39509