ByDemes Group Airspace CCTV Web Service Improper Access Control

Vulnerability

The web service of the ByDemes Group Airspace CCTV Web Service, in version 2.616.BY00.11, contains an improper access control vulnerability (CWE-284). The flaw resides in the Camera Control Panel, where the authorization schema does not properly enforce privilege checks, allowing lower-privileged users to access administrator-level functions. [2]

Exploitation

An attacker needs only a low-privileged (standard user) account on the web service. No other special network position or user interaction is required. By manipulating HTTP requests to the Camera Control Panel endpoints (as described in general bypassing authorization schema testing [1]), the attacker can access and invoke administrative functions. The vulnerability does not require any race condition or additional authentication bypass; standard HTTP request manipulation is sufficient. [2]

Impact

Successful exploitation leads to complete privilege escalation, granting the attacker administrator-level access to the Camera Control Panel. This results in full compromise of the CCTV management interface, with potential for unauthorized access to video feeds, configuration changes, and further system control. The CVSS v3.1 base score of 8.8 reflects high impact on confidentiality, integrity, and availability. [2]

Mitigation

The ByDemes Group security team has released a fix; affected users should upgrade to the latest available version. However, the affected devices are at end of life and no longer supported, so upgrading to a newer model is strongly recommended. No workaround is documented. [2]