PatchSiren

PatchSiren cyber security CVE debrief

CVE-2014-8362 Vivint CVE debrief

CVE-2014-8362 describes a critical access-control issue in Vivint Sky Control Panel firmware 1.1.1.9926. NVD states that remote attackers can enable or disable the alarm system and modify other security settings through the web-enabled interface. The NVD record maps the issue to CWE-284 (Improper Access Control) and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting severe confidentiality, integrity, and availability impact if the interface is reachable.

Vendor
Vivint
Product
CVE-2014-8362
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Organizations and homeowners operating Vivint Sky Control Panel firmware 1.1.1.9926, plus security teams responsible for connected alarm systems, home-automation networks, and any remote-management exposure to the panel’s web interface.

Technical summary

The supplied NVD record identifies a vulnerable firmware version (cpe:2.3:o:vivint:sky_control_panel_firmware:1.1.1.9926) and describes remote modification of alarm state and other security settings via the web-enabled interface. NVD categorizes the weakness as CWE-284. The record’s CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network-reachable impact with no privileges or user interaction required, and the vulnerability is scored 9.8/CRITICAL.

Defensive priority

High. A network-reachable control surface for an alarm system can directly affect physical security outcomes, so any exposed instance of the affected firmware should be prioritized for containment and validation.

Recommended defensive actions

  • Identify whether any Vivint Sky Control Panel devices are running firmware 1.1.1.9926.
  • Restrict or remove network access to the web-enabled interface, especially from untrusted networks.
  • Segment alarm and home-automation devices from general user and guest networks.
  • Disable remote management or web access if it is not required for operations.
  • Check with the vendor or device support channel for a remediated firmware version or official mitigation guidance.
  • Review device configuration and access logs for unexpected changes to alarm state or security settings.

Evidence notes

Supported by the official NVD record for CVE-2014-8362 and its listed references. NVD metadata includes the vulnerable CPE for Vivint Sky Control Panel firmware 1.1.1.9926, CWE-284, and CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The NVD reference list also includes a third-party advisory/VDB entry titled 'Vivint Sky Control Panel Unauthenticated Access.' The CVE record was published on 2017-01-23 and modified on 2026-05-13; those dates reflect record publication/update timing, not the original vulnerability creation date.

Official resources

Public vulnerability record published by CVE.org and NVD on 2017-01-23, with the NVD entry later modified on 2026-05-13. The supplied corpus does not include a vendor remediation bulletin or patch advisory.