CVE-2025-25985

An attacker with physical access to the device can read the Winbond flash chip using a programmer and clip while the camera is disabled, or an attacker who has already gained root shell access (e.g., via CVE-2025-25984) can run cat commands to read the credential files directly [ref_id=1]. The credentials are stored in plaintext in /mnt/mtd/mvconf/wifi.ini and /mnt/mtd/mvconf/user_info.ini [ref_id=1]. No authentication or network access is required when using the physical programmer approach; the attacker only needs to disassemble the camera and attach a clip to the flash chip [ref_id=1].

The vulnerability exists in the files /mnt/mtd/mvconf/wifi.ini and /mnt/mtd/mvconf/user_info.ini on the flash memory of the V380E6_C1 IP camera (hardware id: Hw_HsAKPIQp_WF_XHR) [ref_id=1]. These files store Wi-Fi credentials and camera user credentials respectively in plaintext [ref_id=1].

No patch is published in the bundle. The advisory recommends that the vendor use encryption or hashing for credential storage rather than storing plaintext passwords in the filesystem [ref_id=1]. The fix would involve modifying the firmware to encrypt or hash Wi-Fi and user credentials before writing them to /mnt/mtd/mvconf/wifi.ini and /mnt/mtd/mvconf/user_info.ini, and decrypting them only when needed at runtime [ref_id=1].

**Using root shell:** 1. Gain root shell access (e.g., through CVE-2025-25984). 2. Run `cat /mnt/mtd/mvconf/wifi.ini /mnt/mtd/mvconf/user_info.ini`. 3. Verify credentials being displayed [ref_id=1].

**Using programmer:** 1. Turn off the device and disconnect the USB power cable. 2. Disassemble the device. 3. Use a programmer with a clip to read the contents of the flash chip. 4. Extract the files from the dump (e.g., using binwalk). 5. Verify credentials being present in the files [ref_id=1].