VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2019-25247

CVE-2019-25247

Description

Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a logged-in user into submitting the form.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Beward N100 IP Camera firmware M2.1.6 is vulnerable to CSRF, allowing an attacker to add an admin user by tricking an authenticated admin into submitting a crafted form.

Vulnerability

Overview

The Beward N100 H.264 VGA IP Camera running firmware version M2.1.6 contains a cross-site request forgery (CSRF) vulnerability in its web interface. The application fails to perform any validity checks on HTTP requests, allowing actions to be executed without a unique token or other CSRF protection mechanisms [1][3]. The root cause is the lack of request validation for sensitive administrative operations.

Attack

Vector

An attacker can exploit this vulnerability by hosting a malicious HTML page that contains a hidden form. When a logged-in administrator visits this page (via phishing, cross-site scripting, or other social engineering), the form automatically submits a request to the camera's CGI endpoint at /cgi-bin/admin/param with parameters to add a new user. The form includes a Base64-encoded username:password credential pair along with a privilege flag (01000001 for admin), enabling the attacker to create a new administrator account without the victim's knowledge [3]. The only prerequisite is that the victim is authenticated to the camera's web interface at the time of the attack.

Impact

Successful exploitation allows an attacker to gain persistent administrative access to the IP camera. This can lead to full compromise of the device, including the ability to view live video feeds, modify configuration settings, disable the device, or use it as a pivot point within the network. The attack requires no authentication on the attacker's part, only the victim's active session [1][3].

Mitigation

Status

The vulnerability was publicly disclosed in January 2019 via Zero Science Lab (ZSL-2019-5510) and was subsequently published on Exploit-DB [3]. As of the CVE publication date (December 2025), users should check for firmware updates from Beward that address this CSRF issue. If no patch is available, mitigating actions include restricting access to the camera's web interface to trusted networks only, using a reverse proxy with CSRF protection, or ensuring administrators do not browse untrusted sites while logged into the camera [2].

References
  1. Zero Science Lab — Macedonian Information Security Research & Development Laboratory
  2. IP camera, ip video servers
  3. OffSec’s Exploit Database Archive

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.