Vatilon-based IP Cameras Authentication Bypass / Credential Exposure
# CVE-2025-67159 ? Vatilon-based IP Cameras Authentication Bypass / Credential Exposure
# CVE-2025-67159 ? Vatilon-based IP Cameras
## Summary
Vatilon-based IP camera firmware contains an **authentication bypass and plaintext credential
exposure vulnerability** in the `/cgi-bin/web.cgi` API. The web interface processes requests
containing `username` and `password` parameters in plaintext without validating authentication
state or session context, allowing unauthenticated attackers to retrieve sensitive device
information and administrative data.
**Vulnerability type:** Incorrect Access Control / Improper Authentication
**Impact:** Remote Information Disclosure, Privilege Escalation
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
---
## Affected Devices (Observed)
| Vendor | Product / Notes | Firmware Version |
|--------|------------------|------------------|
| Vatilon | IP cameras (observed brand: JIENUO / devtype=PA4) | V1.12.37-20240124 (uboot-2016-20, kernel linux-4.9-12) |
*Other devices using the same Vatilon firmware may also be affected.*
---
## Proof-of-Concept Disclosure Notice
Reproduction details, packet captures, and raw request/response data are withheld from public
disclosure due to the high risk of abuse. Authorized parties (vendors, CERTs, CNAs) may request
additional technical details after verification.
---
## Additional Observations
- The `/cgi-bin/web.cgi` endpoint accepts `username` and `password` parameters via HTTP GET
requests without enforcing authentication or session validation.
- Credentials are transmitted in **plaintext** and are visible in network traffic and browser
developer tools.
- Direct access to `/view/player.html` can trigger unauthenticated API requests to
`/cgi-bin/web.cgi`, even without a valid login session.
- The web application appears to rely on client-side state rather than server-side authentication
enforcement.
---
## Impact
- Plaintext administrator credentials can be exposed to unauthenticated attackers.
- Attackers can retrieve device configuration and sensitive information remotely.
- The vulnerability enables unauthorized access and may lead to full device compromise.
- The issue can be exploited remotely without user interaction.
---
## Mitigation / Recommendations
1. Enforce server-side authentication and session validation for all `/cgi-bin/web.cgi` requests.
2. Stop accepting plaintext credentials in URL parameters; use secure authentication mechanisms.
3. Ensure that all web interface components require a valid authenticated session.
4. Remove sensitive information from API responses.
5. Apply firmware updates provided by the vendor when available.
6. Restrict access to the device web interface using network-level controls.
---
## References
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-67159)
- [CVE.org Entry](https://www.cve.org/CVERecord?id=CVE-2025-67159)
---
## ??
Vatilon ?? IP ??? ????? `/cgi-bin/web.cgi` API ??? ??
?? ? ?? ??? ???? ?? ???? ???????.
?? ?? ???? ???? ?? ????? `username`? `password`
????? ??? ??? ??? ? ???, ?? ?? ??? ????
???? ??? ?? ??? ??? ? ????.
**??? ??:** ?? ?? ??? / ?? ???
**??:** ?? ?? ??, ?? ??
**CVSS v3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
---
## ?? ?? ?? (??? ??)
| ??? | ?? | ??? ?? |
|--------|------|-------------|
| Vatilon | IP cameras (observed brand: JIENUO / devtype=PA4) | V1.12.37-20240124 (uboot-2016-20, kernel linux-4.9-12) |
---
## ?? ??(?? ??) ??? ??
?? ?? ? ?? ??(PoC ??, PCAP, ???? ???? ?? ?)?
?? ???? ?? ???? ????. ??, CERT, CNA ? ?? ???
?? ? ?? ?? ??? ??? ? ????.
---
## ?? ????
- ? ?????? ?? ? ?? ?? ?? ????? ??? ?????.
- ???? ?????(`/view/player.html`) ?????? ???? ??
API ??? ??? ? ????.
---
## ??
- ???? ?? ???? ?? API ?? ??
- ??? ?? ?? ?? ?? ??
- ?? ??? ?? ?? ?? ?? ? ?? ?? ??? ??
---
## ?? ??
1. ?? API ??? ?? ?? ? ?? ? ?? ??? ??????.
2. ?? ?? ?? ?? ??? ??????.
3. ???? ?? ? UI ??? ??????.
4. ???? ???? ?? ????? ??????.
5. ????? ? ?? ? ?? ??? ????????.