VYPR
← All advisories
Medium severityNVD Advisory· Published Mar 6, 2025· Updated Apr 15, 2026

CVE-2024-13894

CVE-2024-13894

Description

Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to path traversal. When an affected device is connected to a mobile app, it opens a port 10000 enabling a user to download pictures shot at specific moments by providing paths to the files. However, the directories to which a user has access are not limited, allowing for path traversal attacks and downloading sensitive information. The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Smartwares cameras CIP-37210AT and C724IP (firmware ≤3.3.0) contain a path traversal vulnerability allowing unauthorized file access via port 10000.

Vulnerability

Smartwares cameras CIP-37210AT and C724IP, as well as other models sharing the same firmware up to version 3.3.0, are vulnerable to path traversal [CVE description]. When the camera is connected to a mobile app, it opens port 10000, allowing users to download pictures by specifying file paths. However, the application does not properly restrict directory access, enabling an attacker to traverse directories and retrieve arbitrary files [1].

Exploitation

An attacker with network access to the camera's port 10000 can exploit this vulnerability without authentication [CVE description]. The attack requires the camera to be connected to the mobile app, but no special privileges are needed beyond network proximity. This opens the door to accessing sensitive information stored on the device [2].

Impact

Successful exploitation allows an attacker to download any file from the camera's filesystem, including sensitive images, configuration files, or other data. The vulnerability is part of a series of issues reported by CERT Polska, including command injection and use of default credentials [1].

Mitigation

The vendor has not responded to reports, leaving the patching status unknown [1]. Newer firmware versions may also be vulnerable. Users should consider network segmentation, blocking port 10000 with firewalls, or discontinuing use until a fix becomes available.

References
  1. Vulnerabilities in Smartwares cameras
  2. Smartwares CIP-37210AT Indoor Wi-Fi camera

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.