CVE-2020-11681

Vulnerability

Castel NextGen DVR version 1.0.0 stores SMTP server credentials (username and password) in cleartext within the application. The credentials are displayed in the user interface. Additionally, the application lacks proper authorization controls, allowing low-privileged users to access administrative functionality via direct URL manipulation or HTTP method abuse [1][2].

Exploitation

An attacker with a low-privileged account (e.g., Reviewer) can browse directly to administrative pages or use POST/PUT requests to create an administrator account. Once the account is promoted, the attacker can view the SMTP credentials displayed in cleartext within the SMTP configuration interface [1]. No authentication bypass or user interaction is required beyond having a valid low-privileged session [2].

Impact

Successful exploitation allows an attacker to escalate privileges to administrator and obtain SMTP credentials in cleartext. This can lead to disclosure of sensitive email server passwords and potential compromise of email communications or further network attacks [1]. The attacker achieves full administrative control over the DVR system [2].

Mitigation

As of June 2020, no fixed version has been released by Castel. The CVE description and references do not indicate a patch or workaround. Users should restrict network access to the DVR web interface and monitor for suspicious account creation until a vendor update is available [1][2].