Share
## https://sploitus.com/exploit?id=793F18B1-76F7-5FB0-BE01-1F72767C5A93
# CVE-2025-67159 โ Vatilon-based IP Cameras
## Summary
Vatilon-based IP camera firmware contains an **authentication bypass and plaintext credential
exposure vulnerability** in the `/cgi-bin/web.cgi` API. The web interface processes requests
containing `username` and `password` parameters in plaintext without validating authentication
state or session context, allowing unauthenticated attackers to retrieve sensitive device
information and administrative data.
**Vulnerability type:** Incorrect Access Control / Improper Authentication
**Impact:** Remote Information Disclosure, Privilege Escalation
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
---
## Affected Devices (Observed)
| Vendor | Product / Notes | Firmware Version |
|--------|------------------|------------------|
| Vatilon | IP cameras (observed brand: JIENUO / devtype=PA4) | V1.12.37-20240124 (uboot-2016-20, kernel linux-4.9-12) |
*Other devices using the same Vatilon firmware may also be affected.*
---
## Proof-of-Concept Disclosure Notice
Reproduction details, packet captures, and raw request/response data are withheld from public
disclosure due to the high risk of abuse. Authorized parties (vendors, CERTs, CNAs) may request
additional technical details after verification.
---
## Additional Observations
- The `/cgi-bin/web.cgi` endpoint accepts `username` and `password` parameters via HTTP GET
requests without enforcing authentication or session validation.
- Credentials are transmitted in **plaintext** and are visible in network traffic and browser
developer tools.
- Direct access to `/view/player.html` can trigger unauthenticated API requests to
`/cgi-bin/web.cgi`, even without a valid login session.
- The web application appears to rely on client-side state rather than server-side authentication
enforcement.
---
## Impact
- Plaintext administrator credentials can be exposed to unauthenticated attackers.
- Attackers can retrieve device configuration and sensitive information remotely.
- The vulnerability enables unauthorized access and may lead to full device compromise.
- The issue can be exploited remotely without user interaction.
---
## Mitigation / Recommendations
1. Enforce server-side authentication and session validation for all `/cgi-bin/web.cgi` requests.
2. Stop accepting plaintext credentials in URL parameters; use secure authentication mechanisms.
3. Ensure that all web interface components require a valid authenticated session.
4. Remove sensitive information from API responses.
5. Apply firmware updates provided by the vendor when available.
6. Restrict access to the device web interface using network-level controls.
---
## References
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-67159)
- [CVE.org Entry](https://vulners.com/cve/CVE-2025-67159)
---
## ์์ฝ
Vatilon ๊ธฐ๋ฐ IP ์นด๋ฉ๋ผ ํ์จ์ด์์ `/cgi-bin/web.cgi` API ์์ฒญ์ ๋ํด
์ธ์ฆ ๋ฐ ์ธ์
๊ฒ์ฆ์ด ์ํ๋์ง ์๋ ์ทจ์ฝ์ ์ด ํ์ธ๋์์ต๋๋ค.
์ด๋ก ์ธํด ๊ณต๊ฒฉ์๋ ์ธ์ฆ๋์ง ์์ ์ํ์์๋ `username`๊ณผ `password`
ํ๋ผ๋ฏธํฐ๋ฅผ ํฌํจํ ์์ฒญ์ ์ ์กํ ์ ์์ผ๋ฉฐ, ํด๋น ์๊ฒฉ ์ฆ๋ช
์ด ํ๋ฌธ์ผ๋ก
๋
ธ์ถ๋๊ณ ๋ฏผ๊ฐํ ์ฅ์น ์ ๋ณด์ ์ ๊ทผํ ์ ์์ต๋๋ค.
**์ทจ์ฝ์ ์ ํ:** ์ ๊ทผ ์ ์ด ๋ถ์ถฉ๋ถ / ์ธ์ฆ ๋ถ์ ์
**์ํฅ:** ์๊ฒฉ ์ ๋ณด ๋
ธ์ถ, ๊ถํ ์์น
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
---
## ์ํฅ ๋์ ์ฅ๋น (ํ์ธ๋ ์ฌ๋ก)
| ์ ์กฐ์ฌ | ์ ํ | ํ์จ์ด ๋ฒ์ |
|--------|------|-------------|
| Vatilon | IP cameras (observed brand: JIENUO / devtype=PA4) | V1.12.37-20240124 (uboot-2016-20, kernel linux-4.9-12) |
---
## ๊ฐ๋
์ฆ๋ช
(์ฌํ ์๋ฃ) ๋น๊ณต๊ฐ ์๋ด
์ฌํ ์ ์ฐจ ๋ฐ ์๋ณธ ์ฆ๊ฑฐ(PoC ์์ฒญ, PCAP, ๋ธ๋ผ์ฐ์ ๋คํธ์ํฌ ๋ก๊ทธ ๋ฑ)๋
์
์ฉ ์ํ์ผ๋ก ์ธํด ๊ณต๊ฐํ์ง ์์ต๋๋ค. ๋ฒค๋, CERT, CNA ๋ฑ ๊ณต์ธ ๊ธฐ๊ด์
๊ฒ์ฆ ํ ์ถ๊ฐ ๊ธฐ์ ์ ๋ณด๋ฅผ ์์ฒญํ ์ ์์ต๋๋ค.
---
## ์ถ๊ฐ ๊ด์ฐฐ์ฌํญ
- ์น ์ธํฐํ์ด์ค๋ ์๋ฒ ์ธก ์ธ์ฆ ๊ฒ์ฆ ์์ด ํด๋ผ์ด์ธํธ ์์ฒญ์ ์ ๋ขฐํฉ๋๋ค.
- ์คํธ๋ฆฌ๋ฐ ์ธํฐํ์ด์ค(`/view/player.html`) ์ ๊ทผ๋ง์ผ๋ก๋ ์ธ์ฆ๋์ง ์์
API ํธ์ถ์ด ๋ฐ์ํ ์ ์์ต๋๋ค.
---
## ์ํฅ
- ์ธ์ฆ๋์ง ์์ ์ํ์์ ์ฅ์น API ์ ๊ทผ ๊ฐ๋ฅ
- ๊ด๋ฆฌ์ ์๊ฒฉ ์ฆ๋ช
ํ๋ฌธ ๋
ธ์ถ ๊ฐ๋ฅ
- ์๊ฒฉ ๊ณต๊ฒฉ์ ํตํ ์ฅ์น ์ค์ ์ ์ถ ๋ฐ ์ถ๊ฐ ์นจํด ๊ฐ๋ฅ์ฑ ์ฆ๊ฐ
---
## ์ํ ๊ถ๊ณ
1. ๋ชจ๋ API ์์ฒญ์ ๋ํด ์๋ฒ ์ธก ์ธ์ฆ ๋ฐ ์ธ์
๊ฒ์ฆ์ ๊ฐ์ ํ์ญ์์ค.
2. ํ๋ฌธ ์๊ฒฉ ์ฆ๋ช
์ ๋ฌ ๋ฐฉ์์ ์ ๊ฑฐํ์ญ์์ค.
3. ์ธ์ฆ๋์ง ์์ ์น UI ์ ๊ทผ์ ์ฐจ๋จํ์ญ์์ค.
4. ๋ฒค๋์์ ์ ๊ณตํ๋ ๋ณด์ ์
๋ฐ์ดํธ๋ฅผ ์ ์ฉํ์ญ์์ค.
5. ๋น์ ์์ ์ธ ์น ์์ฒญ ๋ฐ ์ ๊ทผ ํจํด์ ๋ชจ๋ํฐ๋งํ์ญ์์ค.