A SQL injection vulnerability exists that could give an attacker remote unauthenticated access to the web user interface with administrator-level privileges.
he affected products are vulnerable to an unsafe deserialization of untrusted data. An attacker may be able to remotely modify deserialized data without authentication using a specially crafted web request, resulting in remote code execution.
MAXPRO VMS & NVR
Please refer to ICS advisory for the list of affected products and updated patches.