Share
## https://sploitus.com/exploit?id=D33A9788-B3A4-5DF0-900D-097388393366
# CVE-2025-67158 β€” Revotech I6032W-FHW

## Summary
The Revotech I6032W-FHW IP camera firmware contains an **authentication bypass vulnerability**
in the `/cgi-bin/jvsweb.cgi` endpoint. The device does not validate the `user.name` and
`user.digest` fields included in JSON-based API requests, allowing unauthenticated attackers
to invoke administrative methods and retrieve sensitive information.

**Vulnerability type:** Incorrect Access Control / Improper Authentication  
**Impact:** Remote Information Disclosure, Privilege Escalation  
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

---

## Affected Devices (Observed)
| Brand    | Model        | Firmware Version        | Platform / Notes |
|----------|--------------|-------------------------|------------------|
| Revotech | I6032W-FHW   | V1.0.0014 (2021-05-17)  | Jovision-based firmware (FH8852-SW-2053-WU-F3, UI V2.0) |

---

## Proof-of-Concept Disclosure Notice
Reproduction details and raw evidence (PoC requests, PCAPs, and device responses) are withheld
from public disclosure due to the high risk of abuse. Authorized parties (vendors, CERTs, CNAs)
may request additional technical details after verification.

---

## Additional Observations
- The `/cgi-bin/jvsweb.cgi` endpoint accepts JSON-formatted commands without enforcing
  authentication checks.  
- Administrative API methods such as `account_get_users` can be executed using arbitrary
  `user.name` and `user.digest` values.  
- Identical administrative responses are returned regardless of credential validity,
  demonstrating that authentication is not enforced server-side.

---

## Impact
- Unauthenticated attackers can access administrative API functionality.  
- Sensitive user and account information can be disclosed remotely.  
- The vulnerability enables privilege escalation without valid credentials.  
- The issue may be leveraged as a building block for further device compromise.

---

## Mitigation / Recommendations
1. Enforce strict server-side validation of authentication fields for all API requests.  
2. Reject any request with invalid or missing authentication data.  
3. Require a verified session before allowing access to administrative API methods.  
4. Apply firmware updates provided by the vendor when available.  
5. Restrict network access to the device management interface.  
6. Monitor and log abnormal or repeated access attempts to `/cgi-bin/jvsweb.cgi`.

---

## References
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-67158)
- [CVE.org Entry](https://vulners.com/cve/CVE-2025-67158)

---

## μš”μ•½
Revotech I6032W-FHW IP 카메라 νŽŒμ›¨μ–΄μ˜ `/cgi-bin/jvsweb.cgi` μ—”λ“œν¬μΈνŠΈμ—μ„œ
인증 검증이 μˆ˜ν–‰λ˜μ§€ μ•ŠλŠ” 취약점이 ν™•μΈλ˜μ—ˆμŠ΅λ‹ˆλ‹€.  
κ³΅κ²©μžλŠ” μž„μ˜μ˜ `user.name` 및 `user.digest` 값을 ν¬ν•¨ν•œ μš”μ²­λ§ŒμœΌλ‘œ
κ΄€λ¦¬μž API λ©”μ„œλ“œλ₯Ό ν˜ΈμΆœν•  수 있으며, 이λ₯Ό 톡해 λ―Όκ°ν•œ 정보에 μ ‘κ·Όν•  수 μžˆμŠ΅λ‹ˆλ‹€.

**취약점 μœ ν˜•:** μ ‘κ·Ό μ œμ–΄ λΆˆμΆ©λΆ„ / 인증 λΆ€μ μ ˆ  
**영ν–₯:** 원격 정보 λ…ΈμΆœ, κΆŒν•œ μƒμŠΉ  
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

---

## 영ν–₯ λŒ€μƒ μž₯λΉ„ (ν™•μΈλœ 사둀)
| μ œμ‘°μ‚¬ | λͺ¨λΈλͺ… | νŽŒμ›¨μ–΄ 버전 | λΉ„κ³  |
|--------|--------|-------------|------|
| Revotech | I6032W-FHW   | V1.0.0014 (2021-05-17)  | Jovision-based firmware (FH8852-SW-2053-WU-F3, UI V2.0) |

---

## κ°œλ… 증λͺ…(μž¬ν˜„ 자료) λΉ„κ³΅κ°œ μ•ˆλ‚΄
μž¬ν˜„ 절차 및 원본 증거(PoC μš”μ²­, PCAP, μž₯치 응닡 둜그 λ“±)λŠ” μ•…μš© μœ„ν—˜μœΌλ‘œ 인해
κ³΅κ°œν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€. 벀더, CERT, CNA λ“± 곡인 기관은 검증 ν›„ μΆ”κ°€ 기술 정보λ₯Ό
μš”μ²­ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

---

## μΆ”κ°€ 관찰사항
- `/cgi-bin/jvsweb.cgi` APIλŠ” ν΄λΌμ΄μ–ΈνŠΈκ°€ μ „λ‹¬ν•œ 인증 정보λ₯Ό μ‹ λ’°ν•˜κ³ 
  μ„œλ²„ μΈ‘μ—μ„œ λ³„λ„μ˜ 검증을 μˆ˜ν–‰ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.  
- 인증 여뢀와 관계없이 λ™μΌν•œ κ΄€λ¦¬μž μˆ˜μ€€μ˜ API 응닡이 λ°˜ν™˜λ©λ‹ˆλ‹€.

---

## 영ν–₯
- μΈμ¦λ˜μ§€ μ•Šμ€ μƒνƒœμ—μ„œ μž₯치 API에 무단 접근이 κ°€λŠ₯ν•©λ‹ˆλ‹€.  
- κ΄€λ¦¬μž μˆ˜μ€€μ˜ 정보 λ…ΈμΆœλ‘œ 인해 μΆ”κ°€ 곡격 κ°€λŠ₯성이 μ¦κ°€ν•©λ‹ˆλ‹€.  
- 취약점은 μ›κ²©μ—μ„œ μž¬ν˜„ κ°€λŠ₯ν•˜λ©° μ‚¬μš©μž μƒν˜Έμž‘μš©μ΄ ν•„μš”ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

---

## μ™„ν™” ꢌ고
1. λͺ¨λ“  API μš”μ²­μ— λŒ€ν•΄ μ„œλ²„ μΈ‘ 인증 검증을 κ°•μ œν•˜μ‹­μ‹œμ˜€.  
2. κ΄€λ¦¬μž API 호좜 전에 μ„Έμ…˜ 및 자격 증λͺ… μœ νš¨μ„±μ„ ν™•μΈν•˜μ‹­μ‹œμ˜€.  
3. 관리 μΈν„°νŽ˜μ΄μŠ€μ— λŒ€ν•œ λ„€νŠΈμ›Œν¬ 접근을 μ œν•œν•˜μ‹­μ‹œμ˜€.  
4. λ²€λ”μ—μ„œ μ œκ³΅ν•˜λŠ” λ³΄μ•ˆ μ—…λ°μ΄νŠΈλ₯Ό μ μš©ν•˜μ‹­μ‹œμ˜€.  
5. 비정상적인 API μ ‘κ·Ό νŒ¨ν„΄μ„ λͺ¨λ‹ˆν„°λ§ν•˜κ³  κΈ°λ‘ν•˜μ‹­μ‹œμ˜€.

---

## μ°Έκ³ 
- [NVD 등둝정보](https://nvd.nist.gov/vuln/detail/CVE-2025-67158)
- [CVE.org 등둝정보](https://vulners.com/cve/CVE-2025-67158)