CVE-2019-12183

An attacker on the same network can connect to the API service on TCP port 4360 (default, no authentication required) and send a crafted command packet with opcode corresponding to `CMD_READ_FILE`. The API returns the contents of any requested file without any access control checks [ref_id=1]. This allows reading sensitive files such as `/etc/passwd`, `/etc/shadow`, configuration files containing Wi-Fi credentials, and even fingerprint image data stored on the device [ref_id=1].

The vulnerability resides in the administrative API service running on port 4360 of the Safescan Timemoto TM-616 and TA-8000 series devices. The `CMD_READ_FILE` handler in the API binary allows an unauthenticated remote attacker to read any file on the device filesystem by simply requesting it through the API protocol [ref_id=1].

The advisory does not include a patch diff. The vendor released a fix in August 2019 [ref_id=1]. Based on the researcher's description, proper authentication and authorization checks must be added to the `CMD_READ_FILE` handler so that only authenticated administrators can read files, and the handler should restrict which paths can be accessed to prevent arbitrary file reads.