Share
## https://sploitus.com/exploit?id=793F18B1-76F7-5FB0-BE01-1F72767C5A93
# CVE-2025-67159 โ€” Vatilon-based IP Cameras

## Summary
Vatilon-based IP camera firmware contains an **authentication bypass and plaintext credential
exposure vulnerability** in the `/cgi-bin/web.cgi` API. The web interface processes requests
containing `username` and `password` parameters in plaintext without validating authentication
state or session context, allowing unauthenticated attackers to retrieve sensitive device
information and administrative data.

**Vulnerability type:** Incorrect Access Control / Improper Authentication  
**Impact:** Remote Information Disclosure, Privilege Escalation  
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

---

## Affected Devices (Observed)
| Vendor  | Product / Notes | Firmware Version |
|--------|------------------|------------------|
| Vatilon | IP cameras (observed brand: JIENUO / devtype=PA4) | V1.12.37-20240124 (uboot-2016-20, kernel linux-4.9-12) |

*Other devices using the same Vatilon firmware may also be affected.*

---

## Proof-of-Concept Disclosure Notice
Reproduction details, packet captures, and raw request/response data are withheld from public
disclosure due to the high risk of abuse. Authorized parties (vendors, CERTs, CNAs) may request
additional technical details after verification.

---

## Additional Observations
- The `/cgi-bin/web.cgi` endpoint accepts `username` and `password` parameters via HTTP GET
  requests without enforcing authentication or session validation.  
- Credentials are transmitted in **plaintext** and are visible in network traffic and browser
  developer tools.  
- Direct access to `/view/player.html` can trigger unauthenticated API requests to
  `/cgi-bin/web.cgi`, even without a valid login session.  
- The web application appears to rely on client-side state rather than server-side authentication
  enforcement.

---

## Impact
- Plaintext administrator credentials can be exposed to unauthenticated attackers.  
- Attackers can retrieve device configuration and sensitive information remotely.  
- The vulnerability enables unauthorized access and may lead to full device compromise.  
- The issue can be exploited remotely without user interaction.

---

## Mitigation / Recommendations
1. Enforce server-side authentication and session validation for all `/cgi-bin/web.cgi` requests.  
2. Stop accepting plaintext credentials in URL parameters; use secure authentication mechanisms.  
3. Ensure that all web interface components require a valid authenticated session.  
4. Remove sensitive information from API responses.  
5. Apply firmware updates provided by the vendor when available.  
6. Restrict access to the device web interface using network-level controls.

---

## References
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-67159)
- [CVE.org Entry](https://vulners.com/cve/CVE-2025-67159)

---

## ์š”์•ฝ
Vatilon ๊ธฐ๋ฐ˜ IP ์นด๋ฉ”๋ผ ํŽŒ์›จ์–ด์—์„œ `/cgi-bin/web.cgi` API ์š”์ฒญ์— ๋Œ€ํ•ด
์ธ์ฆ ๋ฐ ์„ธ์…˜ ๊ฒ€์ฆ์ด ์ˆ˜ํ–‰๋˜์ง€ ์•Š๋Š” ์ทจ์•ฝ์ ์ด ํ™•์ธ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.  
์ด๋กœ ์ธํ•ด ๊ณต๊ฒฉ์ž๋Š” ์ธ์ฆ๋˜์ง€ ์•Š์€ ์ƒํƒœ์—์„œ๋„ `username`๊ณผ `password`
ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ํฌํ•จํ•œ ์š”์ฒญ์„ ์ „์†กํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ํ•ด๋‹น ์ž๊ฒฉ ์ฆ๋ช…์ด ํ‰๋ฌธ์œผ๋กœ
๋…ธ์ถœ๋˜๊ณ  ๋ฏผ๊ฐํ•œ ์žฅ์น˜ ์ •๋ณด์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

**์ทจ์•ฝ์  ์œ ํ˜•:** ์ ‘๊ทผ ์ œ์–ด ๋ถˆ์ถฉ๋ถ„ / ์ธ์ฆ ๋ถ€์ ์ ˆ  
**์˜ํ–ฅ:** ์›๊ฒฉ ์ •๋ณด ๋…ธ์ถœ, ๊ถŒํ•œ ์ƒ์Šน  
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

---

## ์˜ํ–ฅ ๋Œ€์ƒ ์žฅ๋น„ (ํ™•์ธ๋œ ์‚ฌ๋ก€)
| ์ œ์กฐ์‚ฌ | ์ œํ’ˆ | ํŽŒ์›จ์–ด ๋ฒ„์ „ |
|--------|------|-------------|
| Vatilon | IP cameras (observed brand: JIENUO / devtype=PA4) | V1.12.37-20240124 (uboot-2016-20, kernel linux-4.9-12) |

---

## ๊ฐœ๋… ์ฆ๋ช…(์žฌํ˜„ ์ž๋ฃŒ) ๋น„๊ณต๊ฐœ ์•ˆ๋‚ด
์žฌํ˜„ ์ ˆ์ฐจ ๋ฐ ์›๋ณธ ์ฆ๊ฑฐ(PoC ์š”์ฒญ, PCAP, ๋ธŒ๋ผ์šฐ์ € ๋„คํŠธ์›Œํฌ ๋กœ๊ทธ ๋“ฑ)๋Š”
์•…์šฉ ์œ„ํ—˜์œผ๋กœ ์ธํ•ด ๊ณต๊ฐœํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ๋ฒค๋”, CERT, CNA ๋“ฑ ๊ณต์ธ ๊ธฐ๊ด€์€
๊ฒ€์ฆ ํ›„ ์ถ”๊ฐ€ ๊ธฐ์ˆ  ์ •๋ณด๋ฅผ ์š”์ฒญํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

---

## ์ถ”๊ฐ€ ๊ด€์ฐฐ์‚ฌํ•ญ
- ์›น ์ธํ„ฐํŽ˜์ด์Šค๋Š” ์„œ๋ฒ„ ์ธก ์ธ์ฆ ๊ฒ€์ฆ ์—†์ด ํด๋ผ์ด์–ธํŠธ ์š”์ฒญ์„ ์‹ ๋ขฐํ•ฉ๋‹ˆ๋‹ค.  
- ์ŠคํŠธ๋ฆฌ๋ฐ ์ธํ„ฐํŽ˜์ด์Šค(`/view/player.html`) ์ ‘๊ทผ๋งŒ์œผ๋กœ๋„ ์ธ์ฆ๋˜์ง€ ์•Š์€
  API ํ˜ธ์ถœ์ด ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

---

## ์˜ํ–ฅ
- ์ธ์ฆ๋˜์ง€ ์•Š์€ ์ƒํƒœ์—์„œ ์žฅ์น˜ API ์ ‘๊ทผ ๊ฐ€๋Šฅ  
- ๊ด€๋ฆฌ์ž ์ž๊ฒฉ ์ฆ๋ช… ํ‰๋ฌธ ๋…ธ์ถœ ๊ฐ€๋Šฅ  
- ์›๊ฒฉ ๊ณต๊ฒฉ์„ ํ†ตํ•œ ์žฅ์น˜ ์„ค์ • ์œ ์ถœ ๋ฐ ์ถ”๊ฐ€ ์นจํ•ด ๊ฐ€๋Šฅ์„ฑ ์ฆ๊ฐ€

---

## ์™„ํ™” ๊ถŒ๊ณ 
1. ๋ชจ๋“  API ์š”์ฒญ์— ๋Œ€ํ•ด ์„œ๋ฒ„ ์ธก ์ธ์ฆ ๋ฐ ์„ธ์…˜ ๊ฒ€์ฆ์„ ๊ฐ•์ œํ•˜์‹ญ์‹œ์˜ค.  
2. ํ‰๋ฌธ ์ž๊ฒฉ ์ฆ๋ช… ์ „๋‹ฌ ๋ฐฉ์‹์„ ์ œ๊ฑฐํ•˜์‹ญ์‹œ์˜ค.  
3. ์ธ์ฆ๋˜์ง€ ์•Š์€ ์›น UI ์ ‘๊ทผ์„ ์ฐจ๋‹จํ•˜์‹ญ์‹œ์˜ค.  
4. ๋ฒค๋”์—์„œ ์ œ๊ณตํ•˜๋Š” ๋ณด์•ˆ ์—…๋ฐ์ดํŠธ๋ฅผ ์ ์šฉํ•˜์‹ญ์‹œ์˜ค.  
5. ๋น„์ •์ƒ์ ์ธ ์›น ์š”์ฒญ ๋ฐ ์ ‘๊ทผ ํŒจํ„ด์„ ๋ชจ๋‹ˆํ„ฐ๋งํ•˜์‹ญ์‹œ์˜ค.