CVE-2020-23826

Vulnerability

The Yale WIPC-303W IP camera, running firmware versions 2.21 through 2.31, contains a command injection vulnerability in the HTTP API. The web management interface fails to properly validate user input in a specific API endpoint, allowing an authenticated attacker to inject arbitrary operating system commands. The affected versions are WIPC-303W 2.21 to 2.31 [1].

Exploitation

An attacker must first successfully authenticate to the camera's web-based management interface. With valid credentials, the attacker can send a specially crafted HTTP request to the vulnerable API endpoint, injecting shell metacharacters to execute arbitrary commands on the underlying operating system. No additional user interaction or network position beyond LAN/WAN access to the camera's web server is required [1].

Impact

Successful exploitation results in remote command execution (RCE) at the privilege level of the web server process, enabling the attacker to fully compromise the camera. This could allow information disclosure (e.g., video feed access), configuration changes, or use of the device as a foothold in the local network [1].

Mitigation

As of the reference publication date, no firmware update or official advisory from Yale is available. Users should restrict network access to the camera's web interface, use strong passwords, and monitor vendor support pages for a patch. The camera may be end-of-life; consider replacement if no update is issued [1].