Javier Aguinaga

**Name of the Vulnerable Software and Affected Versions** EZVIZ CS-C6N-B0-1G2WF versions prior to V5.3.0 build 230215 EZVIZ CS-C6N-R101-1G2WF versions prior to V5.3.0 build 230215 EZVIZ CS-CV310-A0-1B2WFR versions prior to V5.3.0 build 230221 EZVIZ CS-CV310-A0-1C2WFR-C versions prior to V5.3.2 build 230221 EZVIZ CS-C6N-A0-1C2WFR-MUL versions prior to V5.3.2 build 230218 EZVIZ CS-CV310-A0-3C2WFRL-1080p versions prior to V5.2.7 build 230302 EZVIZ CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p versions prior to V5.3.2 build 230214 EZVIZ CS-CV248-A0-32WMFR versions prior to V5.2.3 build 230217 EZVIZ LC1C versions prior to V5.3.4 build 230214 **Description** The issue affects certain EZVIZ products due to two stack buffer overflows in the `netClientSetWlanCfg` function of the EZVIZ SDK command server. This allows an authenticated attacker on the same local network as the camera to achieve remote code execution, enabling the execution of arbitrary code. **Recommendations** For EZVIZ CS-C6N-B0-1G2WF versions prior to V5.3.0 build 230215, update to V5.3.0 build 230215 or later. For EZVIZ CS-C6N-R101-1G2WF versions prior to V5.3.0 build 230215, update to V5.3.0 build 230215 or later. For EZVIZ CS-CV310-A0-1B2WFR versions prior to V5.3.0 build 230221, update to V5.3.0 build 230221 or later. For EZVIZ CS-CV310-A0-1C2WFR-C versions prior to V5.3.2 build 230221, update to V5.3.2 build 230221 or later. For EZVIZ CS-C6N-A0-1C2WFR-MUL versions prior to V5.3.2 build 230218, update to V5.3.2 build 230218 or later. For EZVIZ CS-CV310-A0-3C2WFRL-1080p versions prior to V5.2.7 build 230302, update to V5.2.7 build 230302 or later. For EZVIZ CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p versions prior to V5.3.2 build 230214, update to V5.3.2 build 230214 or later. For EZVIZ CS-CV248-A0-32WMFR versions prior to V5.2.3 build 230217, update to V5.2.3 build 230217 or later. For EZVIZ LC1C versions prior to V5.3.4 build 230214, update to V5.3.4 build 230214 or later.

**Name of the Vulnerable Software and Affected Versions** EZVIZ CS-C6N-B0-1G2WF versions prior to V5.3.0 build 230215 EZVIZ CS-C6N-R101-1G2WF versions prior to V5.3.0 build 230215 EZVIZ CS-CV310-A0-1B2WFR versions prior to V5.3.0 build 230221 EZVIZ CS-CV310-A0-1C2WFR-C versions prior to V5.3.2 build 230221 EZVIZ CS-C6N-A0-1C2WFR-MUL versions prior to V5.3.2 build 230218 EZVIZ CS-CV310-A0-3C2WFRL-1080p versions prior to V5.2.7 build 230302 EZVIZ CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p versions prior to V5.3.2 build 230214 EZVIZ CS-CV248-A0-32WMFR versions prior to V5.2.3 build 230217 EZVIZ LC1C versions prior to V5.3.4 build 230214 **Description** The issue is related to two stack-based buffer overflows in the `mulicast parse sadp packet` and `mulicast get pack type` functions of the SADP multicast protocol. This can allow an unauthenticated attacker present on the same local network as the camera to achieve remote code execution. **Recommendations** For EZVIZ CS-C6N-B0-1G2WF, update to V5.3.0 build 230215 or later. For EZVIZ CS-C6N-R101-1G2WF, update to V5.3.0 build 230215 or later. For EZVIZ CS-CV310-A0-1B2WFR, update to V5.3.0 build 230221 or later. For EZVIZ CS-CV310-A0-1C2WFR-C, update to V5.3.2 build 230221 or later. For EZVIZ CS-C6N-A0-1C2WFR-MUL, update to V5.3.2 build 230218 or later. For EZVIZ CS-CV310-A0-3C2WFRL-1080p, update to V5.2.7 build 230302 or later. For EZVIZ CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p, update to V5.3.2 build 230214 or later. For EZVIZ CS-CV248-A0-32WMFR, update to V5.2.3 build 230217 or later. For EZVIZ LC1C, update to V5.3.4 build 230214 or later.