H.VIEW HV-500S6 IP Camera
Summary
Multiple vulnerabilities in H.VIEW HV-500S6 IP Camera (version IPCAM_V4.06.88.251229) could allow an authenticated attacker to execute arbitrary code and upload malicious files. These flaws include OS Command Injection and Unrestricted File Upload, with a CVSS v3 score of 7.2. CISA advises users to contact H.View, as the vendor has not responded to coordination requests.
IFF Assessment
The article details vulnerabilities that enable remote code execution and malicious file uploads on IP cameras, posing a significant risk to affected systems.
Severity
The CVSS v3 score of 7.2 reflects vulnerabilities like OS Command Injection (CWE-78) and Unrestricted File Upload, enabling an authenticated attacker to execute arbitrary code and upload malicious files with elevated privileges during certificate generation.
Defender Context
Defenders operating H.VIEW HV-500S6 IP Cameras, particularly version IPCAM_V4.06.88.251229, should immediately investigate and apply any available mitigations or vendor patches. Given the vendor's unresponsiveness, isolating these devices on a secure network segment or considering replacement might be necessary to prevent remote code execution and unauthorized file uploads. This incident highlights the critical need for robust IoT device security and vendor accountability in vulnerability disclosure and patching processes.