CVE-2024-48214

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 30, 2024 / Updated: 20d ago

010
CVSS 8.4EPSS 0.04%High
CVE info copied to clipboard

Summary

A command injection vulnerability exists in the KERUI HD 3MP 1080P Tuya Camera version 1.0.4, specifically in the module that connects to the local network via a QR code. An attacker can exploit this vulnerability by creating a custom, unauthenticated QR code and abusing either the SSID or PASSWORD parameters in the JSON data contained within the QR code.

Impact

This vulnerability allows an attacker to execute arbitrary code on the camera. The impact is severe, with high potential for compromising the confidentiality, integrity, and availability of the device. An attacker could potentially gain full control over the camera, intercept or manipulate video feeds, use the camera as a pivot point for further network attacks, or render the device inoperable.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the vulnerability report, there is no mention of an available patch for this specific issue in KERUI HD 3MP 1080P Tuya Camera version 1.0.4.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Limit physical access to the camera to prevent attackers from scanning malicious QR codes. 2. If possible, disable or restrict the QR code-based network configuration feature. 3. Implement network segmentation to isolate the affected cameras from critical network resources. 4. Monitor network traffic from these cameras for any suspicious activities. 5. Consider replacing the affected cameras with alternative models that do not have this vulnerability if the risk is deemed too high for your environment.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48214

Oct 30, 2024 at 6:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48214. See article

Oct 30, 2024 at 6:20 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 30, 2024 at 6:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 31, 2024 at 10:13 AM
CVSS

A CVSS base score of 8.4 has been assigned.

Oct 31, 2024 at 4:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Kerui
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI