CVE-2020-11625
Description
An issue was discovered in AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838 and Night Vision HD Indoor/Outdoor Mini IP Bullet Camera HD438. Failed web UI login attempts elicit different responses depending on whether a user account exists. Because the responses indicate whether a submitted username is valid or not, they make it easier to identify legitimate usernames. If a login request is sent to ISAPI/Security/sessionLogin/capabilities using a username that exists, it will return the value of the salt given to that username, even if the password is incorrect. However, if a login request is sent using a username that is not present in the database, it will return an empty salt value. This allows attackers to enumerate legitimate usernames, facilitating brute-force attacks. NOTE: this is different from CVE-2020-7057.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AvertX HD838 and HD438 cameras reveal whether a username exists via differing login responses, enabling user enumeration and brute-force attacks.
Vulnerability
An issue exists in AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838 and Night Vision HD Indoor/Outdoor Mini IP Bullet Camera HD438. The web login endpoint ISAPI/Security/sessionLogin/capabilities returns different responses depending on whether the submitted username is valid. If the username exists, the response includes the salt value for that user, even if the password is incorrect. If the username does not exist, the salt value is empty. This behavior allows an attacker to enumerate valid usernames without authentication [1].
Exploitation
An attacker with network access to the camera can send a crafted login request to the ISAPI/Security/sessionLogin/capabilities endpoint. By observing whether the response contains a non-empty salt value, the attacker can determine if a given username is registered. No authentication or prior knowledge is required; the attacker only needs to supply a username. This enumeration can be automated to build a list of valid usernames [1].
Impact
Successful enumeration of valid usernames facilitates targeted brute-force attacks against the camera's login mechanism. An attacker can focus password guessing attempts on known accounts, increasing the likelihood of gaining unauthorized access. This could lead to full compromise of the camera, including video stream access and device control [1].
Mitigation
No official fix has been disclosed in the available references. Users should restrict network access to the camera's web interface, use strong, unique passwords, and monitor for unauthorized login attempts. If possible, apply any vendor-supplied firmware updates when they become available [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- AvertX/Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- unit42.paloaltonetworks.com/avertx-ip-cameras-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.