A vulnerability of remote credential disclosure was discovered in Advan VD-1
Description
A vulnerability of remote credential disclosure was discovered in Advan VD-1 firmware versions up to 230. An attacker can export system configuration which is not encrypted to get the administrator’s account and password in plain text via cgibin/ExportSettings.cgi?Export=1 without any authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated remote credential disclosure in Advan VD-1 firmware allows attackers to export unencrypted system configuration and obtain admin credentials.
Vulnerability
CVE-2019-11064 is a remote credential disclosure vulnerability in Advan VD-1 firmware versions up to 230, as well as Geovision GV-VR360 (up to V1.10) and GeoVision GV-VD8700 (up to V1.01) [1]. The bug resides in the cgibin/ExportSettings.cgi endpoint, which when called with the parameter Export=1 exports the device's system configuration without any encryption. The configuration file contains the administrator's account and password in plain text. No authentication is required to trigger this export [1].
Exploitation
An attacker with network access to the device can simply send a GET request to http:///cgibin/ExportSettings.cgi?Export=1 without any authentication or prior knowledge. The device responds with the system configuration file, which includes the administrator's credentials in plain text [1]. No user interaction or special privileges are needed.
Impact
Successful exploitation gives the attacker the administrator credentials for the device. With these credentials, the attacker can log into the device's web interface and gain full control. Since the VD-1 is used for security monitoring with face recognition and motion detection, the attacker can view live camera feeds, disable or alter the face database, and turn off motion detection, effectively removing the physical security monitoring mechanism [1]. The attacker may also use the credentials to access other administrative functions.
Mitigation
As of the publication date (2019-08-29), no official patch or firmware update has been mentioned in the available reference [1]. Users are advised to check with the vendor (AndroVideo, GeoVision) for updated firmware that addresses this issue. If no update is available, network-level controls such as restricting access to the device's web interface to trusted IPs only, or placing the device behind a firewall, can reduce exposure. The affected firmware versions are Advan VD-1 <= v230, Geovision GV-VR360 <= V1.10, and GeoVision GV-VD8700 <= V1.01 [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- AndroVideo/Advan VD-1 firmwarev5Range: up to 230
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- surl.twcert.org.tw/gCDQNmitrex_refsource_CONFIRM
- gist.github.com/keniver/f5155b42eb278ec0273b83565b64235bmitrex_refsource_CONFIRM
- tvn.twcert.org.tw/taiwanvn/TVN-201906005mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.