VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 10, 2025· Updated Jan 13, 2025

CVE-2024-54848

CVE-2024-54848

Description

Improper handling and storage of certificates in CP Plus CP-VNR-3104 B3223P22C02424 allow attackers to decrypt communications or execute a man-in-the-middle attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CP Plus CP-VNR-3104 NVR contains improper certificate storage, allowing attackers to decrypt communications or perform man-in-the-middle attacks.

Vulnerability

The CP Plus CP-VNR-3104 (model B3223P22C02424) network video recorder suffers from improper handling and storage of certificates [1][3]. This flaw arises because the device does not securely store its cryptographic certificates, potentially exposing private keys or allowing unauthorized access to certificate material. The affected firmware version is explicitly identified as B3223P22C02424. An attacker with network access to the device can exploit this weakness to undermine the confidentiality of encrypted communications.

Exploitation

To exploit this vulnerability, an attacker must have network access to the CP-VNR-3104 device, either on the same local network or through remote connectivity if exposed. No prior authentication is required to access the improperly stored certificates. The attacker can first extract the certificate material from the device's storage (e.g., via firmware analysis or direct file system access) [1]. Using the compromised certificates, the attacker can then decrypt captured network traffic or insert themselves into the communication path to perform a man-in-the-middle attack, intercepting and potentially modifying data in transit.

Impact

Successful exploitation allows an attacker to decrypt communications that should be protected by TLS or other encryption, leading to information disclosure of sensitive video feeds, credentials, or configuration data. Additionally, by mounting a man-in-the-middle attack, the attacker can impersonate trusted endpoints, further compromising the integrity and confidentiality of all data exchanged with the device. The attacker effectively bypasses the security guarantees of the encryption, achieving a high-impact breach of confidentiality and integrity with minimal access requirements.

Mitigation

As of publication date 2025-01-10, CP Plus has not released a patched firmware version for the CP-VNR-3104 (B3223P22C02424) that addresses this certificate storage issue [3]. No official workaround has been documented in the available references. Users are advised to restrict network access to the device, isolate it from untrusted networks, and monitor for future firmware updates from the vendor. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. A case of analysing encrypted firmware
  2. CP-VNR-3104-NVR-Vulnerabilties/CPPlus_CP-VNR-3104_Security_Assessment.pdf at main · Yashodhanvivek/CP-VNR-3104-NVR-Vulnerabilties

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • CP Plus/CP-VNR-3104cpe-rescue2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = B3223P22C02424

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.