OTPulse
FeedAboutContact

Xiongmai Technology IP Cameras and DVRs

Act Now9.8ICS-CERT ICSA-17-341-01Dec 7, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Buffer overflow vulnerability in Xiongmai Technology IP cameras and DVRs using the NetSurveillance Web interface. An unauthenticated, remote attacker can send a crafted request to bypass memory protection and execute arbitrary code on the device. Affects all models and firmware versions. Vendor has not responded to coordination requests and has not released patches.

What this means
What could happen
An unauthenticated attacker can execute arbitrary code on IP cameras or DVRs, potentially disabling surveillance, redirecting video feeds, or using the devices as a pivot point into your network.
Who's at risk
Water utilities and power systems that rely on IP-based camera systems or DVRs for facility monitoring and security. Any organization using Xiongmai-branded surveillance equipment (including OEM variants like some Hikvision products) should inventory these devices and assess whether they are exposed to untrusted networks.
How it could be exploited
An attacker on the network sends a specially crafted request to the NetSurveillance Web interface (default port 80/443) without requiring credentials. The vulnerability in the web application allows the attacker to bypass memory protection and execute code directly on the device.
Prerequisites
  • Network access to the IP camera or DVR on port 80 or 443
  • Device is exposed to an untrusted network or reachable from an attacker's location
remotely exploitableno authentication requiredlow complexityno patch availablehigh EPSS score (19.1%)
Exploitability
High exploit probability (EPSS 19.1%)
Affected products (1)
ProductAffected VersionsFix Status
IP Cameras and DVRs using the NetSurveillance Web interface: All ModelsAll versionsNo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGIsolate IP cameras and DVRs on a dedicated, monitored network segment with firewall rules that block all inbound internet access and restrict access from only authorized workstations
HARDENINGDisable or restrict remote web access to the NetSurveillance interface; allow only local network access from known engineering workstations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDContact Xiongmai Technology to request security updates; if the vendor does not respond, plan to replace affected devices with current, supported models from vendors who actively maintain security patches
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3f1e0783-ee9f-4911-a4c1-42cbb9146d3c