Zavio IP Camera

Act Now9.8ICS-CERT ICSA-23-304-03Oct 31, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Zavio IP cameras running firmware M2.1.6.05 contain stack buffer overflow and command injection vulnerabilities (CWE-121, CWE-78) that allow unauthenticated remote code execution. Affected models are CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, CD321, CF7500, CF7300, and CF7201. The vendor is no longer in business and has not released patches. CISA recommends discontinuing use of these products and implementing network isolation as a compensating control.

What this means

What could happen

An attacker with network access to a Zavio camera could execute arbitrary code on the device, potentially compromising video feeds, accessing recorded footage, or using the camera as a pivot point into your network.

Who's at risk

Organizations operating Zavio IP cameras should be concerned. This affects facility managers and security teams at utilities, water authorities, and municipal facilities that use older Zavio surveillance equipment for site monitoring and access control.

How it could be exploited

An attacker on the network sends a specially crafted network request to the camera's management interface. The vulnerability in the firmware allows the request to bypass security checks and execute commands directly on the camera's processor without requiring authentication.

Prerequisites

Network access to the camera (typically TCP port 80 or 443)
The camera must be running firmware version M2.1.6.05
No authentication credentials required

remotely exploitableno authentication requiredlow complexityno patch availableend-of-life product

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (11)

11 EOL

ProductAffected VersionsFix Status

CF7501: M2.1.6.05M2.1.6.05No fix (EOL)

CB3211: M2.1.6.05M2.1.6.05No fix (EOL)

CB3212: M2.1.6.05M2.1.6.05No fix (EOL)

CB5220: M2.1.6.05M2.1.6.05No fix (EOL)

CB6231: M2.1.6.05M2.1.6.05No fix (EOL)

B8520: M2.1.6.05M2.1.6.05No fix (EOL)

B8220: M2.1.6.05M2.1.6.05No fix (EOL)

CF7500: M2.1.6.05M2.1.6.05No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGIsolate all Zavio cameras from direct internet access and place them on a segregated network segment behind a firewall

HARDENINGRestrict network access to the cameras to only authorized management workstations using firewall rules limiting traffic to required IP addresses and ports

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXDiscontinue use of affected Zavio camera models (CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, CD321, CF7500, CF7300, CF7201) and replace with cameras from a vendor that actively maintains security patches

HARDENINGIf remote access to cameras is required, route all traffic through a VPN and restrict VPN access to specific users with multi-factor authentication

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: CF7501: M2.1.6.05, CB3211: M2.1.6.05, CB3212: M2.1.6.05, CB5220: M2.1.6.05, CB6231: M2.1.6.05, B8520: M2.1.6.05, B8220: M2.1.6.05, CF7500: M2.1.6.05, CF7300: M2.1.6.05, CF7201: M2.1.6.05, CD321: M2.1.6.05. Apply the following compensating controls:

HARDENINGMonitor camera connections for suspicious activity and establish procedures to report any suspected exploitation attempts to CISA

CVEs (5)

CVE-2023-3959 CVE-2023-45225 CVE-2023-43755 CVE-2023-39435 CVE-2023-4249

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d5f8daeb-b249-4428-acee-2551883d6582