CVE-2018-17917

Vulnerability

The Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server, in all versions, exposes a predictable mapping from MAC addresses to Cloud IDs. An attacker can take a known MAC address (e.g., obtained from network scans or device labels) and enumerate the corresponding Cloud ID without authentication [1]. This affects all products using the XMeye P2P Cloud Server, including devices sold by various OEM vendors [1].

Exploitation

An attacker needs only network access to the cloud server (no prior authentication) and a target device's MAC address. By sending requests to the XMeye cloud with candidate MAC-to-ID transformations, the attacker can enumerate valid Cloud IDs and then use those IDs to discover and connect to live devices through official XMeye mobile or desktop apps [1]. No user interaction or elevated privileges are required.

Impact

Successful enumeration and subsequent connection give the attacker unauthorized access to the device's video feeds. Depending on the app and device configuration, this may also allow viewing of live streams, modifying settings, or further exploitation [1]. The CVSS v3 base score for this predictable-state issue is 5.3 (medium), reflecting confidentiality impact and no required privileges [1].

Mitigation

As of the advisory date (October 10, 2018), no official patch or fixed version has been announced by Hangzhou Xiongmai Technology Co., Ltd [1]. Users are advised to isolate affected devices on separate network segments, employ strong network access controls, and monitor for unauthorized connections. The vendor has not provided a firmware update to address the MAC-based Cloud ID enumeration [1].