VYPR
advisoryPublished Jul 8, 2026· 2 sources

Zero-Day Vulnerability in Lorex Cameras Allows Network-Adjacent Code Execution

A critical improper certificate validation vulnerability (ZDI-26-399) in Lorex 2K Indoor Wi-Fi Security Cameras allows network-adjacent attackers to execute arbitrary code on affected devices.

The Zero Day Initiative (ZDI) has disclosed a critical vulnerability, tracked as ZDI-26-399, affecting Lorex 2K Indoor Wi-Fi Security Cameras. This flaw, identified as an Improper Certificate Validation issue, carries a CVSS score of 7.5 and poses a significant risk to users of these devices.

The vulnerability resides within the device management functionality of the cameras. Attackers can exploit this weakness by leveraging the lack of proper validation of the certificate presented by the server. This allows a network-adjacent attacker to potentially execute arbitrary code on the affected camera system, ultimately gaining root-level privileges.

Crucially, user interaction is not required for this exploit to succeed, making it a particularly dangerous threat. The ease of exploitation, combined with the potential for deep system compromise, elevates the severity of this finding. Attackers could use this vulnerability as an entry point for more sophisticated attacks, such as deploying surveillance malware or using the compromised camera as a pivot point into a local network.

The disclosure timeline indicates a lengthy process between the initial report and public release. ZDI first submitted the vulnerability report to the vendor on May 6, 2025. Following up requests for status updates and confirmation of a fix in the latest version, the vendor communicated in June 2026 that a fix was in progress. ZDI then notified the vendor of their intention to publish the advisory as a 0-day on June 26, 2026, leading to the coordinated public release on July 8, 2026.

Given the nature of the vulnerability, which involves network-adjacent exploitation and potential code execution, the primary mitigation strategy recommended by ZDI is to restrict interaction with the product. This implies isolating the affected cameras from untrusted networks and limiting any direct or indirect communication channels that could be leveraged by an attacker.

This vulnerability was discovered by PHP Hooligans and reported by Midnight Blue. The detailed advisory provides technical insights into the flaw, underscoring the ongoing challenges in securing Internet of Things (IoT) devices, particularly those in the consumer surveillance market.

Users of Lorex 2K Indoor Wi-Fi Security Cameras are strongly advised to monitor for any official security updates from Lorex. Until a patch is available and applied, network segmentation and strict access controls are essential to minimize the risk of exploitation. The lack of user interaction required for exploitation highlights the need for proactive security measures and prompt patching by manufacturers.

This advisory (ZDI-26-398) details a format string vulnerability within the 'sonia' binary of Lorex 2K Indoor Wi-Fi Security Cameras, allowing network-adjacent attackers to achieve root-level code execution without authentication. The vulnerability stems from insufficient validation of user-supplied strings used as format specifiers. This flaw was demonstrated at the Pwn2Own competition by researchers PHP Hooligans and Midnight Blue.

Synthesized by Vypr AI