CVE-2018-16225
Description
The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients (such as the QBee Cam application through 1.0.5 for Android and the Swisscom Home application up to 10.7.2 for Android), which results in an attacker being able to reuse cookies to bypass authentication and disable the camera.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=4.16.4
Patches
Vulnerability mechanics
Root cause
"The camera accepts unencrypted network traffic, allowing attackers to intercept and reuse authentication cookies."
Attack vector
An attacker on the local network can intercept unencrypted HTTP requests sent by client applications to the camera. These requests contain authentication cookies. By reusing these intercepted cookies, an attacker can send custom commands to the camera. Specifically, the attacker can trigger the privacy mode, effectively disabling the camera and its physical button functionality [ref_id=1].
Affected code
The vulnerability lies in the camera's handling of unencrypted network traffic, specifically its acceptance of client requests containing authentication cookies over cleartext channels [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. However, it implies that the issue is resolved in versions after 4.16.4. Users are advised to update their camera firmware to a patched version.
Preconditions
- networkAttacker must be on the same local network as the camera.
- configThe camera must be running a vulnerable firmware version (prior to 4.16.4).
- configClient applications (e.g., QBee Cam < 1.0.5, Swisscom Home App < 10.7.2) must be communicating with the camera over unencrypted traffic [ref_id=1].
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- blog.francescoservida.ch/2018/09/16/cve-2018-16225-public-disclosure-qbee-camera-vulnerability/mitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Sep/21mitremailing-listx_refsource_FULLDISC
News mentions
0No linked articles in our index yet.