Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Unpatched Akuvox Smart Intercom Vulnerabilities Can Be Exploited for Spying

Researchers discover a dozen serious vulnerabilities in Akuvox smart intercom, but the vendor has not released any patches.

A smart intercom product made by Chinese company Akuvox is affected by more than a dozen vulnerabilities, including potentially serious flaws that can be exploited for spying. 

The vulnerabilities were discovered by researchers at industrial and IoT cybersecurity firm Claroty. The company — along with CISA and CERT/CC — has attempted to report the findings to the vendor over the past year, but without success, and the security holes remain unpatched. 

Claroty this week disclosed technical details of its findings and CISA has also published an advisory

The security firm started analyzing Akuvox’s E11 product after finding it in a new office space it moved into last year. The E11 is advertised as a video doorphone designed for homes, villas, offices, and warehouses. It includes live video streaming, motion detection, and access control capabilities. According to CISA, the affected product has been used worldwide.

Claroty’s analysis revealed the existence of 13 vulnerabilities related to weak encryption, the use of hardcoded cryptographic keys, sensitive information exposure, insecure password recovery mechanisms, command injection flaws, improper access control and authentication, missing authorization, and hidden functionality that can be abused for malicious purposes.

A majority of these vulnerabilities have been assigned ‘critical’ and ‘high’ severity ratings. An attacker could exploit the flaws for remote code execution, remotely activating a device’s microphone and camera and transmitting data to a remote server, and obtaining stored images and data captured by the device.

An attacker could exploit the vulnerabilities to take complete control of the targeted Akuvox device, allowing them to spy on users, open doors, and gain a foothold into the targeted organization’s network, according to Claroty.

“In privacy-sensitive organizations, such as healthcare centers, this can put organizations in violation of numerous regulations designed to ensure patient privacy,” the company warned. 

Many of the vulnerabilities can be exploited without authentication and attacks can even be launched directly from the internet if the targeted device is accessible from the web. 

SecurityWeek has reached out to the vendor for comment and will update this article if the company responds.

While there do not appear to be any patches, Claroty said the risk can be mitigated by ensuring the device is not exposed to the internet, isolating it from the rest of the enterprise network to prevent lateral movement, and changing the default password for the web interface.

UPDATE, March 13: Akuvox has responded to SecurityWeek’s inquiry, saying that it has “given top priority to patching the vulnerabilities after confirming their existence”. The company plans on releasing a firmware update that should patch the vulnerabilities before March 20, 2023.

In the meantime, the company has advised partners to offer mitigation measures to customers.

“Akuvox is committed to continuously enhancing product security to meet the most stringent requirements. We are also happy to work with security researchers from organizations like Claroty to identify, patch, and release updates to best protect the users of our products,” Akuvox said.

Related: Aiphone Intercom System Vulnerability Allows Hackers to Open Doors

Related: Vulnerability in IDEMIA Biometric Readers Allows Hackers to Unlock Doors

Related: Vulnerability Allows Hackers to Unlock Smart Home Door Locks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet