CVE-2022-28861

Vulnerability

The Citilog 8.0 server communicates with smart cameras (e.g., the Axis M1125) over HTTP, transmitting FTP credentials in cleartext. This exposes the credentials to any attacker positioned between the server and the camera. The vulnerability exists in Citilog 8.0 as documented in the official description [1].

Exploitation

An attacker must be in a man-in-the-middle position between the Citilog 8.0 server and the Axis M1125 camera. By intercepting the HTTP traffic, the attacker can capture the cleartext FTP credentials. No additional authentication or user interaction is required beyond network access to the communication path.

Impact

Successful exploitation allows the attacker to obtain FTP credentials, which can be used to access the Citilog server via FTP. This can lead to unauthorized file access, data exfiltration, or further compromise of the server.

Mitigation

As of the publication date (July 21, 2022), no official patch has been disclosed in the available references [1]. Organizations should monitor vendor communications for updates. In the absence of a fix, network segmentation and encryption (e.g., using VPNs or TLS) between the server and camera should be implemented to protect traffic.