Authenticated Remote Code Execution affects Mobotix P3 and Mx6 cameras

Plan Patch8.8ICS-CERT ICSA-24-235-03Aug 22, 2024

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A command injection vulnerability in Mobotix P3 and Mx6 IP cameras allows an authenticated attacker to execute arbitrary system commands with elevated privileges. The vulnerability exists in an input validation flaw where user-supplied data is passed unsanitized to a system command handler. Affected P3 firmware versions include MX-V4.1.4.11 through MX-V4.1.6.25 and later versions before MX-V4.7.2.18. Affected Mx6 firmware versions include MX-V5.0.0.127 through MX-V5.0.0.133 and later versions before MX-V5.2.0.61. An attacker who gains valid authentication credentials can leverage this vulnerability to take full control of the camera device and potentially pivot into adjacent network systems.

What this means

What could happen

An attacker with valid camera credentials could run arbitrary commands with system privileges on affected Mobotix P3 and Mx6 IP cameras, potentially taking control of surveillance infrastructure or using compromised cameras as a pivot point to attack other network systems.

Who's at risk

Water utilities and municipal electric companies using Mobotix P3 or Mx6 IP cameras for facility surveillance and perimeter monitoring should assess their deployment. This includes security operations centers, substation monitoring, treatment plant surveillance, and any environment where cameras are networked to a control system LAN or accessible from engineering workstations.

How it could be exploited

An attacker with valid engineering or administrator credentials authenticates to the camera's web interface or management API, then injects a malicious command through an input field that lacks proper sanitization. The camera executes this command with system-level privileges, allowing the attacker to install malware, modify camera behavior, disable logging, or access the network.

Prerequisites

Valid credentials (engineering or administrator account) for camera login
Network access to the camera's web interface or API (typically TCP port 443 or 80)
Camera must be accessible from the attacker's network segment

Remotely exploitableRequires valid credentials (reduces immediate risk but widens attack surface if credentials are weak or shared)Low attack complexity once authenticatedAffects surveillance and monitoring infrastructure that may be connected to or near OT networks

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (33)

33 with fix

ProductAffected VersionsFix Status

P3 D24MMX-V4.1.4.11; MX-V4.1.4.70; MX-V4.1.6.25 and 24 moreMX-V4.7.2.18

P3 M24MMX-V4.1.4.11; MX-V4.1.4.70; MX-V4.1.6.25 and 24 moreMX-V4.7.2.18

P3 Q24MMX-V4.1.4.11; MX-V4.1.4.70; MX-V4.1.6.25 and 24 moreMX-V4.7.2.18

P3 T24MMX-V4.1.4.11; MX-V4.1.4.70; MX-V4.1.6.25 and 24 moreMX-V4.7.2.18

P3 D14DiMX-V4.1.4.11; MX-V4.1.4.70; MX-V4.1.6.25 and 24 moreMX-V4.7.2.18

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to camera management interfaces using firewall rules; block access from untrusted network segments

HARDENINGEnforce strong, unique passwords for all camera administrator and engineering accounts; disable default credentials

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all P3 cameras to firmware version MX-V4.7.2.18 or later

HOTFIXUpdate all Mx6 cameras to firmware version MX-V5.2.0.61 or later

Long-term hardening

0/2

HARDENINGIsolate camera networks from business networks and internet-facing systems

HARDENINGImplement VPN-only access for remote camera management instead of direct internet exposure

CVEs (1)

CVE-2023-34873

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b260d41e-8d4e-4a7a-a5e7-06db80fa544d