Directory of Video Surveillance Cybersecurity Vulnerabilities and ExploitsAuthor: IPVM Team, Published on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly.
We have summarized exploits by date and by manufacturer, providing a brief description of the exploit along with affected product(s) and firmware version(s), when known.
Historical List Of Exploits
This list contains a summary of known exploits in reverse chronological order. Additional details are provided in a section for each manufacturer below. Manufacturers with an asterisk (*) next to their name indicate products that were OEM'd under multiple brand names beyond the original manufacturer listed.
- April 2018 - TBK (and OEMs) Vulnerability Provides Clear Text Credentials - a curl / http command provides the admin credentials of affected DVRs in plain text.
- April 2018 - Hikvision Critical Cloud Vulnerability - just knowing the registered email/phone number can get admin access. Note this was resolved before the date of disclosure.
- April 2018 - TVT Backdoor, Hardcoded authentication to download remote system configuration - including login and password in clear text
- January 2018 - Geovision 15 Backdoors and Vulnerabilities, including remote root access and clear text credentials
- December 2017 - Axis Vulnerabilities linked to DHCP and UPnP libraries in BisyBox, and vulnerability in CGI executables
- November 2017 - Hikvision Wifi cameras have hard-coded SSID, allows for rogue access point attack (7)
- November 2017 - Vivotek remote stack overflow vulnerability (3)
- November 2017 - Dahua Hard-coded backdoor credentials in camera and NVR firmware (6)
- October 2017 - Uniview recorders vulnerable to admin password retrieval backdoor
- August 2017 - Hikvision Tools allows admin password reset in older firmware (6)
- August 2017 - Hikvision iVMS-4200 stores passwords with reversible encryption (5)
- August 2017 - NeoCoolCam - iDoorbell product buffer overflow vulnerability allow various exp loits
- July 2017 - Dahua - Buffer overflow vulnerability in password field (5)
- July 2017 - Vivotek - CGI script exploits (2)
- July 2017 - Axis - Buffer overflow vulnerability in 3rd party software toolkit used for ONVIF (3)
- June 2017 - FLIR - Vulnerabilities allow remote code execution, unauthenticated viewing of live images, and reveal hard-coded accounts
- June 2017 - Persirai botnet attacks various consumer/SMB-oriented cameras.
- May 2017 - Hanwha - User can exploit cached data from a previous session to gain access to certain recorders
- March 2017 - Hikvision - Backdoor allows unauthorized access to admin interface (4)
- March 2017 - Axis - Multiple vulnerabilities related to CSRF attacks (2)
- March 2017 - Dahua - Backdoor allows attacker to read user/password list (4)
- March 2017 - Ubiquiti - Command injection vulnerability
- February 2017 - Geutebrück - Authentication bypass.
- February 2017 - Dahua - Multiple vulnerabilities in DHI-HCVR7216A-S3 recorders (3)
- December 2016 - Sony - Attackers can remotely enable telnet on cameras.
- December 2016 - Hikvision - hik-online.com servers susceptible to XXE exploit. (3)
- November 2016 - Milesight - Cameras have a number of vulnerabilities that allow remote exploit.
- November 2016 - Siemens - Remote privilege escalation possible via exploiting web interface.
- October 2016 - NUUO - Insecure default credentials. (2)
- October 2016 - Dahua*, XiongMai - Mirai botnet. (2)
- September 2016 - AVer - EH6108H+ DVR Multiple vulnerabilities
- August 2016 - NUUO - Remote root exploit and remote command injection vulnerability. (1)
- July 2016 - Axis - Remote root exploit. (1)
- July 2016 - Pelco - Digital Sentry hard coded username/password backdoor.
- March 2016 - TVT* - Remote code execution.
- March 2016 - HID - Command injection vulnerability allows attacker full control of device.
- Febrary 2016 - Unknown DVR OEM - Authentication bypass, other issues.
- August 2015 - Dedicated Micros - Devices have no default password, allowing full access.
- June 2015 Avigilon - ACC - Allows attackers to read arbitrary files.
- October 2014 - Bosch - 630/650/670 Recorders - Multiple exploits allow an attacker to get root console and also retrieve config data.
- September 2014 - Hikvision - 7200 series NVRs - Buffer overflow to gain root access. (2)
- November 2013 - Dahua* - DVR's/NVR's - Execute admin commands without authentication (1)
- November 2013 - Vivotek - RTSP stream authentication can be bypassed. (1)
- August 2013 - Hikvision - IP Cameras - Remote root exploit. (1)
Exploits For Specific Companies
Firmware verion X9.03.24.00.07l, and possibly earlier versions, contain multiple vulnerabilities including hard-coded admin-level accounts and authentication bypass exploits. Additional details in CERT report.
ACC versions prior to 188.8.131.52 and prior to 184.108.40.206 allowed for arbitrary files to be retrieved through specially crafted URLs, giving anyone with remote access to the server the ability to access files at will, without authentication, making this a critical vulnerability. Additional details are in the CVE Report for this vulnerability.
(4) Axis announced patches for vulnerabilities common to DHCP and UPnP code in BusyBox linux, and also for information disclosure vulnerabilities in CGI executables. Additional details in Axis 5 Vulnerabilities Examined.
(3) An exploit in a toolkit used for ONVIF support in Axis, and other brands, was discovered. While it has the potential to impact multiple products, proof-of-concept code was only developed/shown for Axis products.
(2) A Google researcher identified multiple vulnerabilities in Axis cameras. The vulnerabilities are relatively low risk, and are primarily patched in newer firmware, but could have the potential to disable or alter camera functionality if successfully used.
(1)Products with firmware from versions 5.20.x to 6.2.x had a vulnerability that allowed for an attacker to gain access to a root console on the device, allowing them full control of the device. Attackers did not need to know usernames/passwords, or other information about the product in order to exploit it, making this an extremely severe vulnerability. Axis issued a press release on this exploit, and IPVM covered the Axis exploit as well.
DVR 630/650/670 units with firmware version 2.12, and possibly older versions, are vulnerable to exploits where attackers can send specially-crafted URLs to the device to enable telnet access, which provides a root console that does not require authentication. No special software is required to carry out this attack. Vulnerability details and proof of concept examples are listed in ExploitDB under ID 34956.
(6) Hard-coded credentials were found in firmware for cameras and NVRs, allowing for rogue firmware uploads. Additional detail: Dahua Hard Coded Credentials Vulnerability.
(5) A buffer overflow vulnerability was discovered in Dahua cameras where excessive-length password text can be entered, triggering an overflow. Additional coverage: Dahua Suffers Second Major Vulnerability, Silent.
(4) Dahua cameras and DVRs/NVRs expose a config file containing username/password info to unauthenticated HTTP requests. Additional coverage: Dahua Backdoor Uncovered.
(3) Vulnerabilities found in Dahua's DHI-HCVR7216A-S3 recorder, including cleartext passwords, auto-admin login allows data sniffing, admin password bypass, unencrypted communications allows man-in-the-middle attack.
(2) Dahua camera and NVR firmware prior to January 2015 shipped with telnet enabled, which coupled with well-known admin credentials allowed attackers to gain access to a root shell and exploit the device. The most popular exploit was the Mirai botnet, which took down internet sites and service providers in October 2016. Products OEM'd from Dahua, which include multiple brands such as FLIR and Honeywell, were also affected.
(1) Recorders with firmware 2.608 could be exploited to accept certain admin commands without authentication, allowing an attacker to retrieve configuration information from the device to change user passwords. ExploitDB contains additional details under ID 29673
Dedicated Micros DVRs, including at least DV-IP Express, SD Advanced, SD, EcoSense, and DS2, ship with no default credentials, and insecure protocols enabled. This can allow attackers to take over the device and/or to sniff network traffic during setup. Additional details in VU 276148.
Multiple vulnerabilities, with no firmware fix, including ability to see live images without authentication, remote code execution, and hard-coded accounts, outlined in Beyond Security disclosure. Additional details and analysis in: FLIR Thermal Camera Multiple Vulnerabilities, Patch Released.
In firmware older than December 2017 one can gain root access with either a curl command within CLI or http in a browser. This is a simple copy / paste / enter specific IP address. There are 15 separate vulnerabilities that range from capturing a screen shot to printing the camera credentials in clear text. IPVM covered this here.
In G-Cam/EFD-2250 with firmware version 220.127.116.11 an authentication bypass vulnerability has been identified. The existing file system architecture could allow attackers to bypass the access control that may allow remote code execution. Details in ICS CERT Advisory.
SRN-4000, SRN-1673S, SRN-873S, and SRN-473S recorders have a vulnerability in some firmware versions where a user who was previously logged into an affected device and use cached data/files to gain access to the same recorders management interface, bypassing the standard authentication screen. Additional detail in the ICS-CERT release and Hanwha Vulnerability Analysis report.
VertX and EDGE systems with firmware prior to March 2016 are susceptible to a command injection exploit, where an attacker can cause the controllers to lock or unlock doors without authentication, as well as perform a number of other functions on the controller. This vulnerability was detailed on Trend Micro's blog, technical details can be found in this github repository.
(7) Some Hikvision Wifi cameras attempt to connect to SSID "davinci" by default, allowing an attacker to setup a rogue access point with this SSID to gain access to camera for further exploit.
(4) A potential vulnerability was first reported in March 2017, and then verified in a US Department of Homeland Security release. Attackers can bypass authentication measures to get access to admin-level features in the web interface of affected Hikvision cameras.
(3) A security researcher found hik-online.com servers vulnerable to an XML External Entity (XXE) exploit. This vulnerability allowed the researcher to retrieve arbitrary files from the server, exposing users to the risk of having data on the public IP/port of their registered devices exposed. Further coverage available in our Hikvision cloud server vulnerability report.
(2) NVR's with firmware 2.2.10, and possibly other versions, contain a vulnerability that allows for a buffer overflow attack, enabling attackers to gain control of the device. This vulnerability was examined and described by research firm Rapid7. Hikvision
(1) Hikvision IP cameras with firmware v4.1.0 b130111, and possibly other versions, can be attacked to gain access to the admin account, bypass authentication entirely using hard-coded credentials, or to execute arbitrary code through a buffer overflow attack. Core security issued a report detailing these exploits.
Milesight camera firmware prior to ~November 2016 may contain a number of vulnerabilities including hard-coded credentials and the ability to execute admin commands via unauthenticated CGI calls, making the cameras highly vulnerable to attacks.
HTTP and RTSP service are vulnerable to multiple forms of buffer overflow attacks. Devices use uPNP to open ports in firewall, making them exposed by default in many installs. ~170K units impacted. Full details in Bitdefender whitepaper on NeoCoolCam vulnerability.
(2) Nuuo NT-4040 Titan firmware version NT-4040_01.07.0000.0015_1120, contains default credentials of admin:admin, and localdisplay:111111. A remote network attacker can gain privileged access to a vulnerable device. Further information can be found in CERT Vulnerability Listing for this issue.
(1) Multiple devices, including the NVRmini, NVRmini2, Crystal, Titan and NVRSolo with firmware prior to 3.0.8 have multiple vulnerabilities that allow for remote code execution, remote root exploit, remote file deletion, and other attacks. Exploits are listed on ExploitDB under multiple IDs, including: 40200, 40209, 40210, 40211, 40212, 40213, 40214, 40215. Each of these represents a critical vulnerability that is easy for an attacker to execute against the device.
Unknown DVR OEM
An unknown manufacturer of DVR's sold under various brands has firmware with multiple exploits, including ability to bypass authentication and get telent access. Details can be found on the researchers blog.
Digital Sentry products running firmware prior to 7.13.84 contained a hard-coded admin account that could be used to take full control of the device by a remote attacker. IPVM covered this vulnerability when it was made public, and CERT also contains additional details.
Attackers can remotely enable telnet on Gen 5 and Gen 6 cameras with firmware prior to 1.86.00 and 2.7.2 respectively, enabling them to potentially login as root. Additional details in our coverage of this exploit.
Specially crafted URLs allow an attacker to gain admin-level privileges on affected cameras. List of affected cameras and recommended firmware versions to resolve this issue are provided by Siemens.
Specially crafted URLs can be used to cause the recorders manufactured by TVT to execute arbitrary commands. At least 79 distinct brands OEM'd these units, including well-known brands like ADI and Q-See. Rotem Kerner documented the exploit on his site, and also provided IPVM with additional details on how he crafted the exploit.
A command injection vulnerability was reported in firmware prior to AirOS 8.0.1. Relatively low risk of exploit, but could enable severe holes in network, such as reverse shells, if properly executed.
Admin password hash can be retrieved from Uniview recorders, and then used to login as admin, allowing full access. Details covered in Uniview Recorder Backdoor Examined.
(3) Potential for stack overflow, likely resulting in denial of service, via malformed URL calls. Details in Vivotek Remote Stack Overflow Vulnerability.
(2) CGI scripts on Vivotek cameras can be used to access files and run commands as root. Additional coverage: Wrongly Accused Critical Vulnerability for Vivotek
(1) Firmware 0105a, 0105b, and possibly other versions, are susceptible to having RTSP authentication bypassed, allowing video streams to be viewed without authentication. Firmware after 0301c should not be affected. Additional information from Core security: Vivotek RTSP auth bypass.
Xiongmai firmware prior to January 2015 shipped with telnet enabled, which coupled with well-known admin credentials allowed attackers to gain access to a root shell and exploit the device. The most popular exploit was the Mirai botnet, which targeted Dahua and Xiongmai devices, and took down internet sites and service providers in October 2016. Due to Xiongmai being primarily an OEM component supplier, many affected products were sold under alternate brands.
18 reports cite this report:
Most Recent Industry Reports
The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.