A critical vulnerability exists in Arteco Web Client products that allows an unauthenticated remote attacker to easily bypass security controls. By guessing session identifiers, an attacker can hijack an active user's session, granting them unauthorized access to live video surveillance streams. This presents a significant risk to physical security, privacy, and sensitive operational data.

The vulnerability stems from insufficient session ID complexity within the Arteco Web Client. The application generates session identifiers that are predictable and fall within a specific, limited numeric range. A remote, unauthenticated attacker can exploit this weakness by creating a simple script to systematically guess or "brute force" session IDs until a valid, active one is found. Upon discovering a valid session ID, the attacker can use it to hijack the legitimate user's session, completely bypassing the authentication mechanism and gaining the same level of access as the compromised user, including viewing live camera feeds.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could have severe consequences for the organization. Unauthorized access to live camera streams could lead to a major breach of privacy for employees and customers, facilitate corporate espionage by allowing competitors to monitor operations, or enable criminals to gather intelligence for a physical intrusion by observing security patrols and identifying vulnerabilities. The exposure of sensitive video data can also result in significant reputational damage, regulatory fines, and a loss of stakeholder trust.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor. Administrators should immediately update Arteco Web Client Multiple Products to the latest version to resolve the session ID generation flaw. Following the update, review web server and application access logs for any signs of brute-force attempts or unauthorized session access that may have occurred prior to patching.

Proactive Monitoring: Security teams should actively monitor web server logs for an abnormally high volume of requests with varying session IDs originating from a single IP address, as this is a key indicator of a brute-force attack. Implement alerts for unusual access patterns, such as logins from unexpected geographic locations or access to camera streams outside of normal business hours.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Restrict network access to the Arteco Web Client interface to trusted internal IP addresses or networks using a firewall.
• Require users to connect via a Virtual Private Network (VPN) to access the web client, adding an extra layer of authentication.
• Deploy a Web Application Firewall (WAF) with rules to detect and block rapid, sequential session ID guessing attempts (rate-limiting).

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the simplicity of exploitation, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that all affected Arteco Web Client instances be patched immediately. If patching must be delayed, the compensating controls listed above, particularly restricting access via a firewall or VPN, should be implemented as a matter of urgency. Do not rely on the lack of a CISA KEV listing as an indicator of low risk; the fundamental weakness in the session management mechanism makes these systems an attractive target.