CVE-2018-17919

Vulnerability

All versions of the Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server contain an undocumented user account named default that uses a default password. This hidden functionality (CWE-912) is present in all products relying on the XMeye P2P Cloud Server, regardless of the vendor brand. The vulnerability is tracked as CVE-2018-17919 with a CVSS v3 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) [1].

Exploitation

An attacker can remotely exploit this vulnerability without authentication or special network position. The account default with its default password can be used to log into the XMeye P2P Cloud Server via one of the supported apps. The skill level required is low, and information about this vulnerability is publicly available, enabling straightforward exploitation [1].

Impact

Successful exploitation allows the attacker to access and view live video streams from the affected device. Depending on device capabilities, the attacker may also modify settings, replace firmware, or execute arbitrary code, leading to a compromise of confidentiality (unauthorized access to video feeds) and integrity (potential device modification) [1].

Mitigation

As of the advisory publication date of October 10, 2018, Hangzhou Xiongmai Technology Co., Ltd had not released a firmware patch. The ICS-CERT advisory recommends users disable the default account if possible or restrict network access to the XMeye server. Users are urged to contact their specific device vendor for updates, as many devices are rebranded [1].