Skip to main content

March Networks is committed to ensuring the security and reliability of all of our products. We strive to proactively address security threats as they are reported by the US Computer Emergency Readiness Team (US-CERT). When we learn of potential vulnerabilities, our team conducts immediate, in-depth investigations across our product lines. If appropriate and required, we take immediate action to prepare software/firmware updates, and to alert you to the availability of these updates.

Security Advisories

Previous security updates impacting March Networks products are listed below, along with the corresponding software versions in which the vulnerability was addressed. Software updates are posted on our partner portal, and can also be found on our Software Downloads page.

If you don’t have access to our partner portal, contact your March Networks certified solution provider for assistance.

Stay up to date with email alerts.

Sign up for alerts

Reporting Security Vulnerabilities to March Networks

If you believe you have identified a security vulnerability in a March Networks product, please contact us immediately at securityalert@marchnetworks.com.

We value the work of independent security researchers who identify vulnerabilities and follow responsible disclosure practices.

Security Advisories

CVE Advisory Summary Products or Components Addressed in Release Severity
CVE-2023-4863 libwebp code injection execution in clients running Command Client Command Client Command Client 2.18.0 and higher, 2.17.2 and 2.16.3 Critical
CVE-2020-15778, CVE-2018-15473, CVE-2021-28041, CVE-2021-41617, CVE-2020-14145 OpenSSH update to avoid multiple medium security vulnerabilities. 8000, 9000 and RideSafe GT/MT/RT series Patch available for 5.24.0.0067 (GA) and 5.24.0.1001 (SP1) Medium
N/A Some security scanners show that the HTTP OPTIONS/DELETE methods are enabled, flagging a potential vulnerability without any further check, triggering a false alarm over Command Enterprise. Command Enterprise No Impact to March Networks products N/A
N/A March Networks 8000, 9000 and RideSafe Series recorders (R5) allow cameras and encoders to request authentication using weak protocols (NTLMv2 and basic authentication). 8000, 9000 and RideSafe Series recorders Visual Intelligence Software Suite 5.24.0.0067 High
N/A An authorized Command Enterprise user could forge a control message over the Command API to modify resource visibility outside of approved access. Command Enterprise 2.16.0 High
CVE-2022-3786,
CVE-2022-3602
X.509 certificates email address overflows in OpenSSL 3.0.0-3.06. Our products don't use any version of OpenSSL affected by this issue. All No Impact to March Networks products N/A
CVE-2022-22965 An attacker may inject remote code execution by exploiting Spring application running on JDK 9 or greater. None No Impact to March Networks products N/A
CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 An attacker may inject remote code execution by exploiting Log4j 1.2 components and functions not enabled or used by default: serialization in JMSSink, SQL injections in JDBCAppender, and Apache Chainsaw to view logs with a dedicated GUI-based log viewer.

Command Enterprise versions up to 2.14 use Apache Log4j 1.x without enabling any of the above components and functions. An attacker will need privileged access to Command Enterprise to enable them, so it is not affected by the exploits.

To completely avoid any confusion around these vulnerabilities, and for better future maintenance, in Command Enterprise 2.14.1, we replaced Log4j with Reload4j, a modern alternative to it.
None Command Enterprise 2.14.1 Low
CVE-2021-45105 An attacker may cause a denial of service when a crafted string is interpreted due to uncontrolled recursion from self-referential look-ups.

Command Enterprise uses Apache Log4j 1.x, which is not affected by this vulnerability.
None No Impact to March Networks products N/A
CVE-2021-4104 An attacker may exploit Log4j 1.2 configuration, not enabled by default, for a function called JMSAppender. This function may lead to perform JNDI requests, resulting in remote code execution in a similar fashion to CVE-2021-44228.

Command Enterprise uses Apache Log4j 1.x, without enabling JMSAppender. An attacker will already need privileged access to Command Enterprise to exploit it leveraging on this vulnerability.
None Command Enterprise 2.14.1 Low
N/A Authentication credentials are printed in clear in the device logs, after their first provisioning. The device serial number can be changed by pushing the configuration with Command Enterprise mass management or using a reserved API. VA Series 1.1.1
ME6 Series 1.1.4
SE2 ATM Camera 1.1.1
SE2 Fleet Wedge Camera 1.1.1
SE2 Fleet Dash Camera 1.1.1
SE2 Flush and Pendant PTZs 30X 1.0.9
ME3 Pendant IR PTZ 40X 1.0.9
SE4 IR DuraBullet 1.0.10
VA Series 1.1.2
ME6 Series 1.1.5
SE2 ATM Camera 1.1.2
SE2 Fleet Wedge Camera 1.1.2
SE2 Fleet Dash Camera 1.1.2
SE2 Flush and Pendant PTZs 30X 1.0.10
ME3 Pendant IR PTZ 40X 1.0.10
SE4 IR DuraBullet 1.0.11
High
CVE-2021-44228 An attacker may execute arbitrary code by injecting attacker-controlled data into a message logged with the Apache Log4j2 library versions between 2.0.0 and 2.14.1.

Command Enterprise uses Apache Log4j 1.x, which is not affected by this vulnerability.
None No Impact to March Networks products N/A
N/A Some versions of Admin Console allow basic authentications over HTTP connections towards Command Enterprise Admin Console version 5.17, 5.19, 5.20 (including all service packs prior to versions with the fix) 5.17 SP3, 5.19 SP3, 5.20 SP2. Versions below 5.17 and above 5.20 are not affected High
N/A Vulnerability in Xiaongmai-based devices None No Impact to March Networks products N/A
CVE-2019-9163 XAML code injection execution in clients running Command Client Command Client Command Client 2.7.2 Critical
CVE-2019-2422 Vulnerability in the Java SE component of Oracle Java SE None No Impact to March Networks products N/A
CVE-2019-2426 Vulnerability in the Java SE component of Oracle Java SE None No Impact to March Networks products N/A
CVE-2019-2449 Vulnerability in the Java SE component of Oracle Java SE None No Impact to March Networks products N/A
CVE-2019-11219 iLnkP2p None No Impact to March Networks products N/A
CVE-2019-11220 iLnkP2p None No Impact to March Networks products N/A
CVE-2018-1149 cgi_system in NUUO's NVRMini2 3.8.0 None No Impact to March Networks products N/A
CVE-2018-1150 NUUO's NVRMini2 3.8.0 None No Impact to March Networks products N/A
CVE-2018-10933 Libssh Authentication Bypass None No Impact to March Networks products N/A
CVE-2018-11212 Vulnerability in the Java SE component of Oracle Java SE None No Impact to March Networks products N/A
CVE-2017-5754 Rogue data cache load (Meltdown) 6000, 8000, 9000, GT, MT Series Recorders;
ME4 Series & Edge OS 2.x Devices
(including Edge 4 & Edge 16 Encoders)
Not necessary at this time Low
CVE-2017-5754 Rogue data cache load (Meltdown) All of our software that can be
installed on a Windows OS
Microsoft Security Patches only Medium
CVE-2017-5753 Bounds check bypass 6000, 8000, 9000, GT, MT Series Recorders;
Edge 4 & Edge 16 Encoders;
ME4 Series & Edge OS 2.x Devices
(including Edge 4 & Edge 16 Encoders)
Not necessary at this time Low
CVE-2017-5753 Bounds check bypass All of our software that can be
installed on a Windows OS
Microsoft Security Patches only Medium
CVE-2017-5715 Branch target injection (Spectre) 6000, 8000, 9000, GT, MT Series Recorders;
ME4 Series & Edge OS 2.x Devices
(including Edge 4 & Edge 16 Encoders)
Not necessary at this time Low
CVE-2017-5715 Branch target injection (Spectre) All of our software that can be
installed on a Windows OS
Microsoft Security Patches only Medium
CVE-2017-9765 gSOAP Various Edge OS 1.x and 2.x Devices Refer to chart Medium
CVE-2017-5638 Apache Struts Jakarta Multipart Parser N/A No Impact to March Networks products N/A
CVE-2016-0800 Cross-protocol attack on TLS using SSLv2 (DROWN) All No Impact to March Networks products N/A
CVE-2015-1798
CVE-2015-1799
NTP MiM/DOS attacks Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.10 Medium
N/A SSL Certificate Chain Contains RSA Keys Less Than 2048 bits Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.10 Medium
CVE-2015-2808 SSL RC4 Cipher Suites Supported Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.10 Medium
N/A Linux/Moose N/A No Impact to March Networks products Medium
CVE-2015-4000 Logjam Attack N/A No Impact to March Networks products Medium
CVE-2015-0247 e2fsprogs Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.9 SP1 Medium
CVE-2015-0235 Ghost Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.9 SP1 Medium
CVE-2015-0235 Ghost Visual Intelligence (R5)
3000 Series
5.5.1 SP18 Medium
CVE-2015-0293
and others
OpenSSL 0.9.8zf Visual Intelligence (R5)
3000 Series
5.5.1 SP18 High
N/A OpenSSL Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.9 Low
N/A NTP Utilities Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.9 Low
N/A Open SSH Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.9 Low
CVE-2015-0204 FREAK SSL/TLS Vulnerability All No Impact to March Networks products N/A
CVE-2015-0204 FREAK SSL/TLS Vulnerability Edge OS 1.x Devices 1.10.6 Medium
CVE-2015-0235 Linux “Ghost” Remote Code Execution Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.9 Low
CVE-2015-0160 Heartbeat Extension Packets Edge OS 1.x Devices 1.10.4 Medium
CVE-2014-2609 Oracle GlassFish Server Multiple Vulnerabilities Command Enterprise 1.8.0 Medium
CVE-2014-0224 OpenSSL 'ChangeCipherSpec' MiTM Vulnerability Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.5 - SP1
5.7.7
High
CVE-2014-0224 OpenSSL 'ChangeCipherSpec' MiTM Vulnerability Visual Intelligence (R5)
3204
5.5.1 - SP17 High
CVE-2014-0224 OpenSSL 'ChangeCipherSpec' MiTM Vulnerability Command Recorder 1.8.0 High
CVE-2014-3566 SSL protocol 3.0 Edge OS 1.x Devices 1.10.6 Medium
CVE-2014-0224 OpenSSL 'ChangeCipherSpec' MiTM Vulnerability Edge OS 1.x Devices 1.10.6 Low
CVE-2014-6271 GNU Bash vulnerability causing remote code execution None Not applicable to March Networks products N/A
CVE-2013-5211 NTP MONLIST vulnerability Visual Intelligence (R5)
8000
4000 (Gen 4)
5.7.2 - SP2
5.7.3 - SP4
5.7.4 - SP3
5.7.8 - SP1
High
CVE-2013-5211 NTP MONLIST vulnerability 5000 Series 4.9.1 - R4 DVRs High
CVE-2012-0920 Dropbear SSH server vulnerability Edge OS 1.x Devices 1.10.5 Medium
Sign up for our newsletter here Get the latest news and information on our IP video products with March Networks News. Subscribe now
Return to top