{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0853", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2026-01-12T03:07:23.341Z", "datePublished": "2026-01-12T03:26:47.546Z", "dateUpdated": "2026-01-12T15:54:38.969Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "AP-RM864P", "vendor": "A-Plus Video Technologies", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "AP-RM864", "vendor": "A-Plus Video Technologies", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "AP-RM832P", "vendor": "A-Plus Video Technologies", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "AP-RM832", "vendor": "A-Plus Video Technologies", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "AP-RM816", "vendor": "A-Plus Video Technologies", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "AP-BS416", "vendor": "A-Plus Video Technologies", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "AP-BS408", "vendor": "A-Plus Video Technologies", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "AP-BS404", "vendor": "A-Plus Video Technologies", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2026-01-12T03:16:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information."}], "value": "Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2026-01-12T03:26:47.546Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-10620-527f1-1.html"}, {"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/en/cp-139-10621-55584-2.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update firmware to version 2.2.0 or later."}], "value": "Update firmware to version 2.2.0 or later."}], "source": {"advisory": "TVN-202601002", "discovery": "EXTERNAL"}, "title": "A-Plus Video Technologies\uff5cNVR - Sensitive Data Exposure", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T15:54:24.725911Z", "id": "CVE-2026-0853", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T15:54:38.969Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0853", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T15:54:24.725911Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T15:54:35.448Z"}}], "cna": {"title": "A-Plus Video Technologies\uff5cNVR - Sensitive Data Exposure", "source": {"advisory": "TVN-202601002", "discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "A-Plus Video Technologies", "product": "AP-RM864P", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "A-Plus Video Technologies", "product": "AP-RM864", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "A-Plus Video Technologies", "product": "AP-RM832P", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "A-Plus Video Technologies", "product": "AP-RM832", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "A-Plus Video Technologies", "product": "AP-RM816", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "A-Plus Video Technologies", "product": "AP-BS416", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "A-Plus Video Technologies", "product": "AP-BS408", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "A-Plus Video Technologies", "product": "AP-BS404", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update firmware to version 2.2.0 or later.", "supportingMedia": [{"type": "text/html", "value": "Update firmware to version 2.2.0 or later.", "base64": false}]}], "datePublic": "2026-01-12T03:16:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-10620-527f1-1.html", "tags": ["third-party-advisory"]}, {"url": "https://www.twcert.org.tw/en/cp-139-10621-55584-2.html", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information.", "supportingMedia": [{"type": "text/html", "value": "Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2026-01-12T03:26:47.546Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0853", "state": "PUBLISHED", "dateUpdated": "2026-01-12T15:54:38.969Z", "dateReserved": "2026-01-12T03:07:23.341Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2026-01-12T03:26:47.546Z", "assignerShortName": "twcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information."}, {"lang": "es", "value": "Ciertos modelos de NVR desarrollados por A-Plus Video Technologies tienen una vulnerabilidad de Exposici\u00f3n de Datos Sensibles, permitiendo a atacantes remotos no autenticados acceder a la p\u00e1gina de depuraci\u00f3n y obtener informaci\u00f3n del estado del dispositivo."}], "id": "CVE-2026-0853", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "twcert@cert.org.tw", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2026-01-12T04:15:46.840", "references": [{"source": "twcert@cert.org.tw", "url": "https://www.twcert.org.tw/en/cp-139-10621-55584-2.html"}, {"source": "twcert@cert.org.tw", "url": "https://www.twcert.org.tw/tw/cp-132-10620-527f1-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "twcert@cert.org.tw", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:02:42.028453+00:00", "value": {"mitigation_remediation": ["Update the firmware to version 2.2.0 or later, ensuring the debug page is removed or protected by authentication.", "If updating is not immediately possible, lock down the NVR\u2019s network access by placing it behind a firewall and blocking the ports used by the debug interface.", "Disable or remove any debug functionality from the device configuration to eliminate the exposure, and monitor incoming traffic for attempts to access the debug page."], "summary": {"action": "Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "A-Plus Video Technologies models AP\u2011BS404, AP\u2011BS408, AP\u2011BS416, AP\u2011RM816, AP\u2011RM832, AP\u2011RM832P, AP\u2011RM864, and AP\u2011RM864P are affected. Firmware versions earlier than 2.2.0 are vulnerable; devices running 2.2.0 or later include the fix.", "description_and_impact": "A-Plus Video Technologies NVR firmware contains a flaw that allows remote attackers to reach an unsecured debug page without authentication. By accessing this page, an attacker can view device status information, which may include configuration details, network layout, or other sensitive data. The vulnerability is classified under CWE\u2011497, indicating that sensitive information can be read without proper controls.", "risk_and_exploitability": "The CVSS score of 6.9 reflects a moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at the time of analysis. The flaw is not listed in CISA\u2019s KEV catalog. Attackers can exploit it by sending HTTP requests to the network interface of the NVR and retrieving the debug page, assuming the device is exposed to the Internet or an attacker\u2019s local network."}}}}, "created": "2026-04-18T07:15:25.846766+00:00", "updated": "2026-04-18T07:15:25.846778+00:00", "vendors": []}