BugProve Discovers Critical Security Vulnerabilities in Zavio IP Cameras

In a groundbreaking revelation, BugProve, a prominent name in the field of cybersecurity, has exposed a critical security advisory concerning Zavio IP cameras. The advisory underscores the presence of a staggering seven pre-authentication remote code execution (RCE) vulnerabilities and 26 post-authentication code execution vectors, all rooted in memory corruption issues within the Onvif daemon of select Zavio IP camera models.

The timeline of events leading to this disclosure began on December 9, 2022, when BugProve initially reported these vulnerabilities to Zavio. Despite multiple reminders and diligent follow-ups, Zavio remained unresponsive, compelling BugProve to seek the involvement of renowned organizations like MITRE and the Cybersecurity and Infrastructure Security Agency (CISA).

The gravity of these vulnerabilities cannot be understated, as they allow malicious actors to execute arbitrary code on affected Zavio IP cameras. These devices, estimated to number in the tens of thousands, are still operating on public networks, posing a significant security threat.

The affected products encompass various Zavio IP camera models, all running firmware version M2.1.6.05. Zavio, a Chinese manufacturer specializing in video surveillance equipment, failed to engage constructively during the disclosure process. Consequently, CISA stepped in to oversee coordination efforts, testing, and vulnerability confirmation, resulting in the assignment of CVE identifiers, with CVE-2023-3959 and CVE-2023-4249 being notable among them. A detailed explanation of the vulnerabilities can be found in BugProve's vulnerability disclosure (https://bugprove.com/knowledge-hub/cve-2023-3959-cve-2023-4249-multiple-critical-vulnerabilities-in-zavio-ip-cameras/).

Users of Zavio IP cameras are strongly urged to change their devices since proper updates to patch these vulnerabilities will not be available.

In the realm of computer security, remotely exploitable memory corruptions represent an acute concern. Successful exploitation of these vulnerabilities can have dire consequences for end-user privacy. When malicious actors exploit these vulnerabilities on a large scale, it can lead to network compromise and the exposure of sensitive data. The stealthy nature of such attacks poses significant challenges for detection and defense, thereby jeopardizing the security and privacy of individuals and organizations alike.

Moreover, the potential for widespread exploitation of these vulnerabilities extends beyond individual privacy concerns. It raises broader implications for the overall security posture of systems and networks, with potential economic and societal consequences. Although it may not always result in direct national security threats, the cumulative impact of these vulnerabilities is undeniably significant.

In light of these circumstances, addressing remote memory corruption vulnerabilities is paramount. Doing so not only safeguards individual privacy but also fortifies the resilience and security of digital ecosystems. BugProve remains committed to advancing cybersecurity awareness and testing processes and encouraging responsible disclosure to protect the interests of individuals, organizations, and society as a whole.

Name: BugProve Ltd.
Address: 1024, Budapest, 48th Keleti Karoly str.
Media contact: Dora Meleg (dora.meleg@bugprove.com)

Founded in 2022 by a team of three accomplished security researchers, BugProve is a dynamic European startup at the forefront of cybersecurity innovation. Getting its pre-seed round from esteemed regional VCs like Credo and Fiedler, the company swiftly developed its state-of-the-art firmware analysis platform entirely in-house. In the first quarter of 2023, BugProve launched its solution aiming to streamline IoT product security and set new industry standards. They received multiple CVEs via the platform.

This release was published on openPR.