Share
## https://sploitus.com/exploit?id=D33A9788-B3A4-5DF0-900D-097388393366
# CVE-2025-67158 β Revotech I6032W-FHW
## Summary
The Revotech I6032W-FHW IP camera firmware contains an **authentication bypass vulnerability**
in the `/cgi-bin/jvsweb.cgi` endpoint. The device does not validate the `user.name` and
`user.digest` fields included in JSON-based API requests, allowing unauthenticated attackers
to invoke administrative methods and retrieve sensitive information.
**Vulnerability type:** Incorrect Access Control / Improper Authentication
**Impact:** Remote Information Disclosure, Privilege Escalation
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
---
## Affected Devices (Observed)
| Brand | Model | Firmware Version | Platform / Notes |
|----------|--------------|-------------------------|------------------|
| Revotech | I6032W-FHW | V1.0.0014 (2021-05-17) | Jovision-based firmware (FH8852-SW-2053-WU-F3, UI V2.0) |
---
## Proof-of-Concept Disclosure Notice
Reproduction details and raw evidence (PoC requests, PCAPs, and device responses) are withheld
from public disclosure due to the high risk of abuse. Authorized parties (vendors, CERTs, CNAs)
may request additional technical details after verification.
---
## Additional Observations
- The `/cgi-bin/jvsweb.cgi` endpoint accepts JSON-formatted commands without enforcing
authentication checks.
- Administrative API methods such as `account_get_users` can be executed using arbitrary
`user.name` and `user.digest` values.
- Identical administrative responses are returned regardless of credential validity,
demonstrating that authentication is not enforced server-side.
---
## Impact
- Unauthenticated attackers can access administrative API functionality.
- Sensitive user and account information can be disclosed remotely.
- The vulnerability enables privilege escalation without valid credentials.
- The issue may be leveraged as a building block for further device compromise.
---
## Mitigation / Recommendations
1. Enforce strict server-side validation of authentication fields for all API requests.
2. Reject any request with invalid or missing authentication data.
3. Require a verified session before allowing access to administrative API methods.
4. Apply firmware updates provided by the vendor when available.
5. Restrict network access to the device management interface.
6. Monitor and log abnormal or repeated access attempts to `/cgi-bin/jvsweb.cgi`.
---
## References
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-67158)
- [CVE.org Entry](https://vulners.com/cve/CVE-2025-67158)
---
## μμ½
Revotech I6032W-FHW IP μΉ΄λ©λΌ νμ¨μ΄μ `/cgi-bin/jvsweb.cgi` μλν¬μΈνΈμμ
μΈμ¦ κ²μ¦μ΄ μνλμ§ μλ μ·¨μ½μ μ΄ νμΈλμμ΅λλ€.
곡격μλ μμμ `user.name` λ° `user.digest` κ°μ ν¬ν¨ν μμ²λ§μΌλ‘
κ΄λ¦¬μ API λ©μλλ₯Ό νΈμΆν μ μμΌλ©°, μ΄λ₯Ό ν΅ν΄ λ―Όκ°ν μ 보μ μ κ·Όν μ μμ΅λλ€.
**μ·¨μ½μ μ ν:** μ κ·Ό μ μ΄ λΆμΆ©λΆ / μΈμ¦ λΆμ μ
**μν₯:** μ격 μ 보 λ
ΈμΆ, κΆν μμΉ
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
---
## μν₯ λμ μ₯λΉ (νμΈλ μ¬λ‘)
| μ μ‘°μ¬ | λͺ¨λΈλͺ
| νμ¨μ΄ λ²μ | λΉκ³ |
|--------|--------|-------------|------|
| Revotech | I6032W-FHW | V1.0.0014 (2021-05-17) | Jovision-based firmware (FH8852-SW-2053-WU-F3, UI V2.0) |
---
## κ°λ
μ¦λͺ
(μ¬ν μλ£) λΉκ³΅κ° μλ΄
μ¬ν μ μ°¨ λ° μλ³Έ μ¦κ±°(PoC μμ², PCAP, μ₯μΉ μλ΅ λ‘κ·Έ λ±)λ μ
μ© μνμΌλ‘ μΈν΄
곡κ°νμ§ μμ΅λλ€. λ²€λ, CERT, CNA λ± κ³΅μΈ κΈ°κ΄μ κ²μ¦ ν μΆκ° κΈ°μ μ 보λ₯Ό
μμ²ν μ μμ΅λλ€.
---
## μΆκ° κ΄μ°°μ¬ν
- `/cgi-bin/jvsweb.cgi` APIλ ν΄λΌμ΄μΈνΈκ° μ λ¬ν μΈμ¦ μ 보λ₯Ό μ λ’°νκ³
μλ² μΈ‘μμ λ³λμ κ²μ¦μ μννμ§ μμ΅λλ€.
- μΈμ¦ μ¬λΆμ κ΄κ³μμ΄ λμΌν κ΄λ¦¬μ μμ€μ API μλ΅μ΄ λ°νλ©λλ€.
---
## μν₯
- μΈμ¦λμ§ μμ μνμμ μ₯μΉ APIμ λ¬΄λ¨ μ κ·Όμ΄ κ°λ₯ν©λλ€.
- κ΄λ¦¬μ μμ€μ μ 보 λ
ΈμΆλ‘ μΈν΄ μΆκ° 곡격 κ°λ₯μ±μ΄ μ¦κ°ν©λλ€.
- μ·¨μ½μ μ μ격μμ μ¬ν κ°λ₯νλ©° μ¬μ©μ μνΈμμ©μ΄ νμνμ§ μμ΅λλ€.
---
## μν κΆκ³
1. λͺ¨λ API μμ²μ λν΄ μλ² μΈ‘ μΈμ¦ κ²μ¦μ κ°μ νμμμ€.
2. κ΄λ¦¬μ API νΈμΆ μ μ μΈμ
λ° μ격 μ¦λͺ
μ ν¨μ±μ νμΈνμμμ€.
3. κ΄λ¦¬ μΈν°νμ΄μ€μ λν λ€νΈμν¬ μ κ·Όμ μ ννμμμ€.
4. λ²€λμμ μ 곡νλ 보μ μ
λ°μ΄νΈλ₯Ό μ μ©νμμμ€.
5. λΉμ μμ μΈ API μ κ·Ό ν¨ν΄μ λͺ¨λν°λ§νκ³ κΈ°λ‘νμμμ€.
---
## μ°Έκ³
- [NVD λ±λ‘μ 보](https://nvd.nist.gov/vuln/detail/CVE-2025-67158)
- [CVE.org λ±λ‘μ 보](https://vulners.com/cve/CVE-2025-67158)