Authenticated remote code execution or Command injection vulnerability in Barco NDN-210/NDN-211

Article number: [3417] - Legacy code: [KB11589]

This article applies to the following products:


The NDN-210 and NDN-211 have a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to perform authenticated remote code execution.

CVE: CVE-2020-17502, CVE-2020-17503, CVE-2020-17504

Severity: Medium

CVSS 3.1 Score: 6.8


The issue was notified to Barco through the Barco’s Responsible Disclosure program by fellow security researchers with Federal Police of Sweden namely Kristoffer Blasiak and Ulf Frisk.

Affected Products

The following products running versions prior to the release of TFN 3.8 are affected.

  • TransForm NDN-210 Lite
  • TransForm NDN-210 Pro
  • TransForm NDN-211 Lite
  • TransForm NDN-211 Pro


The fix is available as part of the Barco’s TransformN (TFN) 3.8 Release. It is highly recommended to apply the fixes as part of this package. TFN stands for Barco’s visualization platform, consisting of display wall controller output nodes, input nodes, system and gateway nodes and the Control room Management software Suite (CMS). TFN helps control room professionals to collect all possible types of source data as well as to organize and transform this source data in the most efficient and transparent way to create visual information on display walls. Further details of the release package are available in the release notes here


Last updated Jun 14 2022

Was this information helpful?