CVE-2021-40382

Vulnerability

The mjpegStreamer.cgi endpoint on Compro IP70 (firmware 2.08_7130218), IP570 (firmware 2.08_7130520), IP60, and TN540 devices does not enforce any access control. An unauthenticated remote attacker can request a video screenshot by directly accessing the CGI script without any authentication or session token. The affected firmware versions are explicitly named in the advisory [1].

Exploitation

An attacker does not need any prior authentication, network position beyond reachability of the camera, nor user interaction. By sending a simple HTTP GET request to mjpegStreamer.cgi on the target device, the camera returns a screenshot of the current video feed. The advisory from Packet Storm confirms this requires no credentials or special configuration [1].

Impact

Successful exploitation results in unauthorized disclosure of live video frames from the camera. This is a confidentiality breach, leaking whatever the camera is currently observing. The attacker gains no persistent access or ability to modify settings, but can repeatedly obtain screenshots over time, compromising the surveillance purpose of the device [1].

Mitigation

No firmware patch has been released by Compro for these models at the time of publication. As a workaround, network administrators should restrict access to the camera's web interface using firewall rules or VLAN segmentation to only trusted IPs. The devices are not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory date [1].