CVE-2023-48121

Vulnerability

An authentication bypass vulnerability exists in the Direct Connection Module of Ezviz CS-C6N-xxx, CS-CV310-xxx, CS-C6CN-xxx, and CS-C3N-xxx cameras prior to firmware version v5.3.x build 20230401. The module listens on TCP port 9010 and processes commands intended for direct control from the mobile app. While normal communication uses AES encryption with a pre-shared key, the service does not enforce encryption and accepts cleartext requests, allowing attackers to bypass authentication [1].

Exploitation

An attacker with network access to the affected camera can send crafted cleartext messages to TCP port 9010. No credentials or prior authentication are required. The attacker can then request device information or capture live images, as demonstrated by proof-of-concept exploits for device info provisioning and live image capture [1].

Impact

Successful exploitation allows an unauthorized attacker to obtain sensitive information from the camera, including device details and live video feed. This leads to information disclosure and potential privacy violations. No evidence of remote code execution or privilege escalation has been reported [1].

Mitigation

The vulnerability is fixed in firmware version v5.3.x build 20230401. Users should update their affected Ezviz cameras to this version or later. If immediate patching is not possible, restricting network access to the camera's TCP port 9010 can mitigate exposure [1].