Multiple vulnerabilities in MAP intrusion panel

BOSCH-SA-688644-BT

Advisory Information

Advisory ID: BOSCH-SA-688644-BT
CVE Numbers and CVSS v3.1 Scores:
- CVE-2021-3449
  - Base Score: 5.9 (Medium)
  - Temporal Score: 5.5 (Medium)
  - Environmental Score: 7.1 (High)
- CVE-2023-48795
  - Base Score: 5.9 (Medium)
Published: 19 Nov 2025
Last Updated: 19 Nov 2025

Summary

The MAP 5000 is susceptible to multiple vulnerabilities.

Vulnerability CVE-2021-3449 can lead to system crashes caused by DoS attacks. Such vulnerabilities allow malicious actors to disrupt service, resulting in downtime and loss of access for legitimate users, which can severely impact business operations.

Vulnerability CVE-2023-48795 constitutes a weakness in secure communication protocols, potentially exposing sensitive data to unauthorized access and manipulation. Such vulnerabilities compromise the confidentiality of information transmitted over the network and can lead to integrity issues, where data may be altered without detection.

Affected Products

Bosch MAP 5000 family
- CVE-2021-3449
  - Version(s): < Bundle 1.48.1
- CVE-2023-48795
  - Version(s): < Bundle 1.48.1

Solution and Mitigations

Software Updates

The recommended approach is to update the affected Bosch firmware. If an update is not possible in a timely manner, users are recommended to follow the mitigations and workarounds described in the following section. The versions to fix this issue are listed in the Advisory Appendix.

A reboot of the device is required after uploading the update.

The version of the firmware should be checked after the update to confirm successful installation.

Network Segmentation

By segmenting the network, you can make it more difficult for an attacker to move laterally within the network, thus reducing the likelihood of a successful attack.

Vulnerability Details

CVE-2021-3449

MAP 5000 may crash due to OpenSSL TLS server mishandling maliciously crafted renegotiation ClientHello message from a client.

CVE description: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Problem Type:
- CWE-476 NULL Pointer Dereference
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:X/IR:X/AR:H/MAV:X/MAC:H/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X
- Base Score: 5.9 (Medium)
- Temporal Score: 5.5 (Medium)
- Environmental Score: 7.1 (High)

CVE-2023-48795

The MAP 5000 OpenSSH server version is susceptible to downgraded security attacks on SSH connections aka Terrapin Attack.

CVE description: A flaw was found in the SSH channel integrity. By manipulating sequence numbers during the handshake, an attacker can remove the initial messages on the secure channel without causing a MAC failure. For example, an attacker could disable the ping extension and thus disable the new countermeasure in OpenSSH 9.5 against keystroke timing attacks.

Problem Type:
- CWE-354 Improper Validation of Integrity Check Value
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
- Base Score: 5.9 (Medium)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] Contact us webpage: https://www.boschsecurity.com/en/contact/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

19 Nov 2025: Initial Publication

Appendix

Certified Partner Portal

Firmware can be downloaded from the Certified Partner Portal. To get access to the Certified Partner Portal, please get in contact with your authorized MAP sales representative.

Fixed Versions

Product Name	CTN	SAP#	Version to fix the issue
MAP5000 panel	ICP-MAP5000-2	F01U.245.556	Bundle 1.48.1
MAP5000 panel, small	ICP-MAP5000-S	F01U.296.016	Bundle 1.48.1
MAP5000 panel, com	ICP-MAP5000-COM	F01U.289.149	Bundle 1.48.1
MAP5000 panel, small, com	ICP-MAP5000-SC	F01U.299.120	Bundle 1.48.1