A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administratorsThis issue affects Kiloview NDI N30 and was fixed in Firmware version later than 2.02.0246
The flaw lies in improper implementation of the authorization mechanism (CWE-287, CWE-290, CWE-346), which allows an attacker to remotely disable user identity verification. After disabling this mechanism, the attacker gains access to state-changing actions that should be reserved exclusively for administrators. The attack can be conducted remotely over the network without any credentials or interaction from an authorized user.
An attacker gains full access to the device's administrative functions, allowing arbitrary modification of its configuration and state. The consequence could be complete takeover of the Kiloview NDI N30 device and potential impact on the infrastructure with which it is integrated.
The Kiloview NDI N30 device firmware should be updated to a version later than 2.02.0246. The update is available on the manufacturer's website: https://www.kiloview.com/en/support/download/n30-firmware-downloadlatest/
Kiloview NDI N30 — firmware versions up to and including 2.02.0246
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X