The US cybersecurity agency CISA has published an advisory describing a high-severity vulnerability that appears to have been exploited in the wild to hack cameras made by Avtech Security.
The flaw, tracked as CVE-2024-7029, has been confirmed to impact Avtech AVM1203 IP cameras running firmware versions FullImg-1023-1007-1011-1009 and prior, but other cameras and NVRs made by the Taiwan-based company may also be affected.
“Commands can be injected over the network and executed without authentication,” CISA said, noting that the bug is remotely exploitable and that it’s aware of exploitation.
The cybersecurity agency said Avtech has not responded to its attempts to get the vulnerability fixed, which likely means that the security hole remains unpatched.
CISA learned about the vulnerability from Akamai and the agency said “an anonymous third-party organization confirmed Akamai’s report and identified specific affected products and firmware versions”.
There do not appear to be any public reports describing attacks involving exploitation of CVE-2024-7029. SecurityWeek has reached out to Akamai for more information and will update this article if the company responds.
It’s worth noting that Avtech cameras have been targeted by several IoT botnets over the past years, including by Hide ‘N Seek and Mirai variants.
According to CISA’s advisory, the vulnerable product is used worldwide, including in critical infrastructure sectors such as commercial facilities, healthcare, financial services, and transportation.
It’s also worth pointing out that CISA has yet to add the vulnerability to its Known Exploited Vulnerabilities Catalog at the time of writing.
SecurityWeek has reached out to the vendor for comment.
UPDATE: Larry Cashdollar, Principal Security Researcher at Akamai Technologies, provided the following statement to SecurityWeek:
“We saw an initial burst of traffic probing for this vulnerability back in March but it has trickled off until recently likely due to the CVE assignment and current press coverage. It was discovered by Aline Eliovich a member of our team who had been examining our honeypot logs hunting for zero days. The vulnerability lies in the brightness function within the file /cgi-bin/supervisor/Factory.cgi. Exploiting this vulnerability allows an attacker to remotely execute code on a target system. The vulnerability is being abused to spread malware. The malware appears to be a Mirai variant. We’re working on a blog post for next week that will have more details.”
UPDATE 2, August 8, 2024: Avtech has provided the following statement to SecurityWeek:
“Regarding recent concerns raised by CISA regarding a potential security vulnerability in one of our products. The specific model in question, AVM1203, has been discontinued for nearly seven years. Following a thorough internal review of our current product lineup, we can confirm that this issue has been fully addressed in all models currently available on the market. We assure our customers that they can continue using our products with confidence.
Despite its discontinued status, we are evaluating the possibility of releasing a software update to address the identified vulnerability or offering a product replacement service for affected units.
At AVTECH, we take product security very seriously. We have consistently invested in enhancing the security of our products to protect against potential malicious attacks, thereby safeguarding our customers from any inconvenience or loss. In recent years, our key security measures have included:
- Encrypting all communications between our devices and company-operated servers, including P2P connections.
- Requiring account and password authentication for all device communications, with mandatory password changes to ensure that new credentials meet robust security standards.
- Conducting detailed and precise input validation for all communication interfaces, particularly user-provided parameters, ensuring they are thoroughly checked and accurately processed before being applied by the device.
While we strive to follow the best security practices in all our products, it is important to recognize that once products are phased out and cease to receive updates, their security protocols may no longer be up to date. This is a common challenge with electronic products across the industry. We encourage our customers to consider upgrading to our current product offerings to ensure they benefit from the latest security protocols and features, thereby maintaining the highest level of protection and functionality.
We will reach out to CISA to clarify and resolve the issue raised, addressing any customer concerns.”
Related: Recent Zyxel NAS Vulnerability Exploited by Botnet
Related: Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested