HIGH 7.5

CVE-2026-10056: Nx Witness VMS CORS Misconfiguration & Session Token Theft

Network Optix Nx Witness VMS contains a cross-origin resource sharing (CORS) misconfiguration in its REST API that allows an unauthenticated attacker to steal a logged-in user's session token and hijack their administrator account. The vulnerability exists only in the default Standard security mode on Linux and Windows systems running versions prior to 6.1.2. An attacker would craft a malicious web page and trick a victim into visiting it while authenticated to the VMS; the browser would then leak the session credentials to the attacker. The High security mode configuration is not affected by this flaw.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-942
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround: For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup. Solution: Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper CORS configuration where Access-Control-Allow-Credentials is set to true in the default Standard security mode, violating the principle of least privilege for credential exposure. When a user visits a malicious cross-origin page, the browser's same-origin policy is bypassed for credentialed requests, allowing JavaScript running on that page to read the session token from the Nx Witness REST API response. The attacker gains the privileges of the authenticated user, typically administrative access. This is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The High security mode correctly sets this header to false, preventing the token leak.

Business impact

Compromise of a Nx Witness VMS administrator account grants an attacker full control over video surveillance infrastructure, including the ability to disable recording, delete footage, modify user accounts, and potentially exfiltrate sensitive video data. For organizations relying on VMS for physical security monitoring, facility compliance, or forensic investigation, account takeover poses significant operational and legal risk. The attack requires user interaction but no technical sophistication, making it a credible threat in phishing or watering-hole scenarios targeting VMS operators.

Affected systems

Network Optix Nx Witness VMS versions prior to 6.1.2 running on Linux and Windows in the default Standard security mode are vulnerable. Systems configured with High security mode are not affected. This includes both newly deployed and existing installations unless manually patched or reconfigured.

Exploitability

Exploitation requires moderate complexity: an attacker must create a malicious web page, socially engineer or otherwise induce an authenticated VMS user to visit it, and the victim's browser must have an active authenticated session with the Nx Witness API. The attack is not wormable or self-propagating. However, the barrier to exploitation is low for a determined attacker, and VMS operators may be targeted through phishing or compromised third-party sites.

Remediation

Upgrade Nx Witness VMS to version 6.1.2 or later, which disables credential inclusion in CORS responses by default. For existing installations that cannot be immediately upgraded, apply the temporary workaround by executing a REST API PATCH request to /rest/v2/system/settings with the body {"supportedOrigins": "null"}, which sets Access-Control-Allow-Credentials to false. Alternatively, reconfigure the installation to use High security mode at setup time.

Patch guidance

Download and deploy Nx Witness VMS 6.1.2 or later from Network Optix following the vendor's update procedures. Verify the upgrade completes successfully and confirm that the REST API no longer includes Access-Control-Allow-Credentials: true headers in responses. For air-gapped environments or phased deployments, prioritize systems exposed to untrusted networks. Test patching in a non-production environment first to ensure compatibility with existing integrations and configurations.

Detection guidance

Monitor REST API logs for unusual cross-origin requests (look for Origin headers from unexpected domains) and authentication events from unexpected geographic locations or times. Analyze HTTP response headers to confirm Access-Control-Allow-Credentials is set to false. Alert on rapid session token generation or use of administrator credentials from new IP addresses. Correlate browser security logs from operator workstations for visits to untrusted domains during authenticated VMS sessions. Check system configuration to verify Standard mode systems have the workaround applied or are running version 6.1.2+.

Why prioritize this

This vulnerability warrants high-priority remediation because it enables complete compromise of VMS administrator accounts with minimal attacker effort and moderate user interaction. VMS systems are critical infrastructure for physical security and compliance. The fix is straightforward and non-disruptive. Organizations should prioritize patch deployment or apply the workaround within 30 days, particularly for internet-exposed or frequently-accessed VMS instances.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects high confidentiality and integrity impact (session token and account takeover), network-based attack vector, but higher attack complexity due to the user interaction requirement and the conditional nature of the vulnerability (Standard mode only). The score does not account for the widespread use of VMS in critical security operations, which elevates business risk beyond the base metric.

Frequently asked questions

Does this vulnerability affect Nx Witness VMS in High security mode?

No. High security mode is not affected because it correctly sets Access-Control-Allow-Credentials to false by default. If your installation is already configured in High security mode, you are not vulnerable to this issue.

Can I work around this without upgrading immediately?

Yes. Until you can upgrade to version 6.1.2 or later, execute a PATCH request to /rest/v2/system/settings with the body {"supportedOrigins": "null"}. This disables credential inclusion in CORS responses and blocks the attack. Verify the change by checking API response headers to confirm Access-Control-Allow-Credentials is no longer present or set to true.

How would an attacker actually exploit this in practice?

An attacker would create a malicious website containing JavaScript that makes requests to your Nx Witness API. If a VMS administrator visits that website while logged into Nx Witness in the same browser, the attacker's code can steal the session token and use it to access the VMS as that administrator. The attacker does not need to break into your network; the victim's own browser facilitates the attack.

What should I prioritize if I have multiple Nx Witness deployments?

Prioritize systems that handle sensitive footage, are internet-accessible, or have operators who access untrusted web content. Systems in isolated air-gapped networks or accessed only by trained personnel from trusted machines represent lower immediate risk. Apply the temporary workaround to all Standard mode systems in the interim, then schedule patches across all versions before 6.1.2.

This analysis is based on the publicly available vulnerability description and CVSS metrics provided as of the publication date. Patch version numbers, affected product versions, and technical details should be verified against Network Optix's official security advisories and release notes. Organizations should conduct internal testing before deploying patches in production environments. The presence or absence of this vulnerability in non-Standard security modes should be confirmed through direct testing or vendor documentation specific to your deployment. SEC.co does not provide legal or compliance advice regarding breach notification or regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).