CVE-2020-24052

Vulnerability

Moog EXO Series EXVF5C-2 and EXVP7C2-3 units contain XML External Entity (XXE) vulnerabilities in their ONVIF web service. A remote unauthenticated attacker can send crafted XML requests containing a malicious Document Type Definition (DTD) to exploit this issue. The web application processes XML without disabling external entity resolution, leading to file disclosure [1].

Exploitation

An attacker with network access to the camera's ONVIF web interface can craft an XML payload that references external entities pointing to local files (e.g., /etc/passwd). The server then includes the contents of those files in the response. No authentication or prior access is required [1].

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files from the device's filesystem. This can lead to disclosure of system configuration, credentials, or other sensitive data, potentially enabling further compromise of the device or network [1].

Mitigation

Moog has not released a patch for these vulnerabilities as of the publication date. The advisory recommends restricting network access to the ONVIF service and applying host-level firewall rules to limit exposure. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1].