CVE-2023-30400

Vulnerability

A command injection vulnerability exists in the network configuration script of the Anyka Microelectronics AK3918EV300 MCU operating system (version 18). An attacker can inject arbitrary commands by providing a specially crafted wifi SSID or password during the configuration process. This affects the firmware running on the MCU, which is used in various hidden camera modules [1][2].

Exploitation

An attacker with network access to the device can trigger the vulnerability by supplying a malicious SSID or password parameter. No authentication is required; the attack can be performed by connecting to the device's network configuration interface or by intercepting and modifying network setup commands. The attacker can then execute arbitrary shell commands on the MCU [2].

Impact

Successful exploitation allows arbitrary command execution on the MCU, leading to complete compromise of the device. The attacker can gain full control over the camera, including access to video streams, file system manipulation, and potential pivot to internal networks. The impact is considered critical due to the ability to execute code with elevated privileges [2].

Mitigation

As of the publication date, no official fix is available from the manufacturer. The vendor acknowledged the issue but has not released a patch or recall affected units. Users are advised to isolate the device on a separate network segment and monitor for suspicious activity. No workaround has been disclosed [1][2].