CVE-2023-47674

Missing authentication for critical function vulnerability in First Corporation's DVRs allows a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround.

Published: 2023-11-16 Last update: 2025-06-11 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2023-47674 is rated High Risk (66.5/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.02%). High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2023-47674

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-21 0.49% 1.02% +0.53%
2 2025-11-18 1.02% 0.49% -0.53%
3 2025-11-07 1.02%

Full EPSS history (9 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2023-47674

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 [email protected]
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2023-47674

Affected software / configurations for CVE-2023-47674

Vendor Product Version Raw CPE
c-first cfr-1004ea_firmware cpe:2.3:o:c-first:cfr-1004ea_firmware:-:*:*:*:*:*:*:*
c-first cfr-1008ea_firmware cpe:2.3:o:c-first:cfr-1008ea_firmware:-:*:*:*:*:*:*:*
c-first cfr-1016ea_firmware cpe:2.3:o:c-first:cfr-1016ea_firmware:-:*:*:*:*:*:*:*
c-first cfr-16eaa_firmware cpe:2.3:o:c-first:cfr-16eaa_firmware:-:*:*:*:*:*:*:*
c-first cfr-16eab_firmware cpe:2.3:o:c-first:cfr-16eab_firmware:-:*:*:*:*:*:*:*
c-first cfr-16eha_firmware cpe:2.3:o:c-first:cfr-16eha_firmware:-:*:*:*:*:*:*:*
c-first cfr-16ehd_firmware cpe:2.3:o:c-first:cfr-16ehd_firmware:-:*:*:*:*:*:*:*
c-first cfr-4eaa_firmware cpe:2.3:o:c-first:cfr-4eaa_firmware:-:*:*:*:*:*:*:*
c-first cfr-4eaam_firmware cpe:2.3:o:c-first:cfr-4eaam_firmware:-:*:*:*:*:*:*:*
c-first cfr-4eab_firmware cpe:2.3:o:c-first:cfr-4eab_firmware:-:*:*:*:*:*:*:*
c-first cfr-4eabc_firmware cpe:2.3:o:c-first:cfr-4eabc_firmware:-:*:*:*:*:*:*:*
c-first cfr-4eha_firmware cpe:2.3:o:c-first:cfr-4eha_firmware:-:*:*:*:*:*:*:*
c-first cfr-4ehd_firmware cpe:2.3:o:c-first:cfr-4ehd_firmware:-:*:*:*:*:*:*:*
c-first cfr-8eaa_firmware cpe:2.3:o:c-first:cfr-8eaa_firmware:-:*:*:*:*:*:*:*
c-first cfr-8eab_firmware cpe:2.3:o:c-first:cfr-8eab_firmware:-:*:*:*:*:*:*:*
c-first cfr-8eha_firmware cpe:2.3:o:c-first:cfr-8eha_firmware:-:*:*:*:*:*:*:*
c-first cfr-8ehd_firmware cpe:2.3:o:c-first:cfr-8ehd_firmware:-:*:*:*:*:*:*:*
c-first cfr-904e_firmware cpe:2.3:o:c-first:cfr-904e_firmware:-:*:*:*:*:*:*:*
c-first cfr-908e_firmware cpe:2.3:o:c-first:cfr-908e_firmware:-:*:*:*:*:*:*:*
c-first cfr-916e_firmware cpe:2.3:o:c-first:cfr-916e_firmware:-:*:*:*:*:*:*:*
c-first md-404aa_firmware cpe:2.3:o:c-first:md-404aa_firmware:-:*:*:*:*:*:*:*
c-first md-404ab_firmware cpe:2.3:o:c-first:md-404ab_firmware:-:*:*:*:*:*:*:*
c-first md-404ha_firmware cpe:2.3:o:c-first:md-404ha_firmware:-:*:*:*:*:*:*:*
c-first md-404hd_firmware cpe:2.3:o:c-first:md-404hd_firmware:-:*:*:*:*:*:*:*
c-first md-808aa_firmware cpe:2.3:o:c-first:md-808aa_firmware:-:*:*:*:*:*:*:*
c-first md-808ab_firmware cpe:2.3:o:c-first:md-808ab_firmware:-:*:*:*:*:*:*:*
c-first md-808ha_firmware cpe:2.3:o:c-first:md-808ha_firmware:-:*:*:*:*:*:*:*
c-first md-808hd_firmware cpe:2.3:o:c-first:md-808hd_firmware:-:*:*:*:*:*:*:*

References for CVE-2023-47674

cvelogic Threat Intelligence