Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server

Plan Patch8.1ICS-CERT ICSA-18-282-06Oct 9, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

XMeye P2P Cloud Server contains multiple vulnerabilities (CWE-341 weak cryptography, CWE-912 hidden functionality, CWE-311 missing encryption) in all versions that could allow unauthorized access to video feeds, modification of device settings, firmware replacement, and code execution. The product includes default "admin" and undocumented "default" accounts with hardcoded credentials.

What this means

What could happen

An attacker could view video surveillance feeds from your facility without authorization and potentially alter device settings or firmware, compromising both physical security monitoring and device integrity. Code execution could allow an attacker to repurpose the hardware or use it as a pivot point into your network.

Who's at risk

This vulnerability affects organizations using XMeye P2P Cloud servers for video surveillance and security monitoring in industrial facilities, utilities, and critical infrastructure. All versions of the product are vulnerable with no patch available.

How it could be exploited

An attacker on the network can connect to the XMeye server using default or hardcoded credentials to gain administrative access. Once authenticated, the attacker can extract video feeds, modify configuration settings, upload malicious firmware, and execute arbitrary code on the device.

Prerequisites

Network access to XMeye P2P Cloud Server
Knowledge of default account names (admin and 'default')
Default or weak credentials present on the device

remotely exploitableno authentication required (default credentials)low complexityno patch availableaffects safety/security systems (surveillance)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

XMeye P2P Cloud Server: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

WORKAROUNDImmediately change the admin account password to a strong, unique password and disable or change the undocumented 'default' account password

HARDENINGVerify the source and cryptographic integrity of all firmware updates before deployment

HARDENINGIsolate XMeye servers on a segregated network segment with restricted access; do not allow direct internet access or connections from untrusted networks

HARDENINGImplement network access controls and firewalls to limit connections to the XMeye server to only authorized internal systems

Mitigations - no patch available

0/1

XMeye P2P Cloud Server: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGBegin planning replacement of XMeye servers with products from vendors who actively maintain security patches

CVEs (3)

CVE-2018-17917 CVE-2018-17919 CVE-2018-17915

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3cb79f9e-0141-4052-a87f-03d54aa2b56d