Genetec Security Center
Monthly
Unauthenticated video stream access in Genetec Security Center 5.14.0.0 (builds prior to 5.14.178.18) lets remote attackers pull live video feeds by exploiting a flaw in the authentication mechanism that guards video stream requests. Because the CVSS vector is AV:N/PR:N/UI:N, no credentials or user interaction are needed, and the CWE-287 root cause means the stream endpoint fails to properly verify the requester's identity. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.
Local credential exposure in Genetec Security Center main server installations allows an attacker with local OS privileges on the main server host to retrieve Server Admin credentials, enabling escalation to full Security Center administrative control. The flaw is tied to specific vulnerable installer builds rather than version numbers, meaning hosts running 5.10.4.0, 5.11.3.0, 5.12.2.0 or 5.13.3.0 may or may not be vulnerable depending on the installation package hash. No public exploit identified at time of analysis and no evidence of active exploitation per the vendor advisory.
SQL injection in Genetec Security Center's Access Manager role enables a remote attacker with high privileges to achieve full confidentiality, integrity, and availability impact against the underlying database. The vulnerability spans multiple major release branches (5.9 through 5.13) of this widely deployed physical security management platform, covering access control, video surveillance, and license plate recognition environments. Vendor-released patches are confirmed available for the 5.12 and 5.13 branches; no public exploit has been identified at time of analysis and SSVC assessment confirms no current exploitation activity.
Unauthenticated video stream access in Genetec Security Center 5.14.0.0 (builds prior to 5.14.178.18) lets remote attackers pull live video feeds by exploiting a flaw in the authentication mechanism that guards video stream requests. Because the CVSS vector is AV:N/PR:N/UI:N, no credentials or user interaction are needed, and the CWE-287 root cause means the stream endpoint fails to properly verify the requester's identity. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.
Local credential exposure in Genetec Security Center main server installations allows an attacker with local OS privileges on the main server host to retrieve Server Admin credentials, enabling escalation to full Security Center administrative control. The flaw is tied to specific vulnerable installer builds rather than version numbers, meaning hosts running 5.10.4.0, 5.11.3.0, 5.12.2.0 or 5.13.3.0 may or may not be vulnerable depending on the installation package hash. No public exploit identified at time of analysis and no evidence of active exploitation per the vendor advisory.
SQL injection in Genetec Security Center's Access Manager role enables a remote attacker with high privileges to achieve full confidentiality, integrity, and availability impact against the underlying database. The vulnerability spans multiple major release branches (5.9 through 5.13) of this widely deployed physical security management platform, covering access control, video surveillance, and license plate recognition environments. Vendor-released patches are confirmed available for the 5.12 and 5.13 branches; no public exploit has been identified at time of analysis and SSVC assessment confirms no current exploitation activity.