CVE-2024-54846

Vulnerability

The CP Plus CP-VNR-3104 network video recorder (NVR) running firmware version B3223P22C02424 contains a flaw that allows an attacker to obtain the device's Elliptic Curve (EC) private key. This key is used for secure communications and authentication. The vulnerability likely stems from improper storage or generation of the cryptographic key material within the firmware [3].

Exploitation

An attacker with network access to the NVR can extract the EC private key without authentication. The exact method is detailed in the security assessment [3], but it involves exploiting a weakness in the key management implementation. No user interaction is required, and the attacker can be on the same network segment.

Impact

Successful extraction of the EC private key allows the attacker to decrypt all encrypted traffic to and from the NVR, access sensitive data such as video streams and credentials, and perform man-in-the-middle attacks to impersonate the device or intercept communications. The attacker gains the ability to compromise the confidentiality and integrity of the NVR's communications.

Mitigation

As of the publication date (2025-01-10), no official patch has been released by CP Plus. The affected firmware version B3223P22C02424 is confirmed vulnerable. Users should monitor vendor advisories for a firmware update. In the interim, network segmentation and strict access controls can reduce exposure. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.