Security Experts:

Connect with us

Hi, what are you looking for?



Surveillance Cameras From 70 Vendors Vulnerable to Remote Hacking

Surveillance cameras sold by more than 70 vendors worldwide were found to be vulnerable to Remote Code Execution (RCE) because of shared firmware code, a researcher has discovered.

Surveillance cameras sold by more than 70 vendors worldwide were found to be vulnerable to Remote Code Execution (RCE) because of shared firmware code, a researcher has discovered.

The affected products come from vendors that resell almost identical products, all of which include vulnerable software apparently built by Chinese manufacturer TVT.

Security researcher Rotem Kerner analyzed the firmware of surveillance cameras and discovered a new attack vector that can compromise DVR boxes, the main component of CCTV systems.

Because of a “white labeling” business model, where vendors place their logo on a product built by another manufacturer, and due to improper security verification of software packages, nearly identical products from tens of vendors expose users to the same security flaws.

In this specific case, Kerner discovered that the firmware used in vulnerable products from an Israeli company selling CCTV systems was susceptible to RCE because of a vulnerable implementation of the HTTP server.

The security flaw relies in the server checking if the directory of a given language exists and on it executing an extraction command if it does not exist. Next, the researcher was able to create an exploit for the vulnerability, and has already published it online.

According to the researcher, tens of thousands of products using the same HTTP server implementation, appear in Shodan search results, suggesting that all of them are vulnerable. However, the exact number of vulnerable products could be much higher, and the impact of this security flaw should not be underestimated, the researcher suggests.

Kerner also explains that he tried contacting the original manufacturer TVT, but that he received no response from the company thus far. The researcher published a list of vendors selling TVT products under their own brand and advises users to deny any connection from an unknown IP address to the DVR services, especially since the same systems might be affected by exploits for other vulnerabilities as well.

While this scenario is not new, it once again reveals the importance of performing security checks on any software packed inside embedded devices, especially when outsourcing production. In fact, Eurecom and Ruhr-University Bochum researchers revealed in November last year that insufficient security checks make embedded device firmware images susceptible to multiple security flaws. After analyzing thousands of firmware images from tens of different vendors, the researchers discovered hundreds of vulnerabilities in the Web interfaces of corresponding IoT devices. While cross-site scripting (XSS) and file manipulation were the most prevalent security flaws, the analyzed firmware images were also susceptible to command injection, file inclusion, file disclosure, SQL injection, and RCE.

Firmware images have been long said to be as vulnerable to attacks as any other piece of software, and VirusTotal in January announced that it now offers support for scanning these packages for malware. In November 2015, a study by IT security consultancy SEC Consult revealed that millions of Internet-of-Things (IoT) devices use the same cryptographic secrets, making them vulnerable to various types of malicious attacks. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet