Netsecfish

**Name of the Vulnerable Software and Affected Versions** Provision-ISR SH-4050A-2 Provision-ISR SH-4100A-2L(MM) Provision-ISR SH-8100A-2L(MM) Provision-ISR SH-16200A-2(1U) Provision-ISR SH-16200A-5(1U) Provision-ISR NVR5-8200PX up to 20241220 **Description** A vulnerability was found in Provision-ISR devices, affecting an unknown functionality of the file /server.js. This leads to information disclosure and can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Provision-ISR SH-4050A-2, consider disabling the affected functionality of the file /server.js until a patch is available. For Provision-ISR SH-4100A-2L(MM), restrict access to the /server.js file to minimize the risk of exploitation. For Provision-ISR SH-8100A-2L(MM), avoid using the affected functionality of the /server.js file until the issue is resolved. For Provision-ISR SH-16200A-2(1U), consider temporarily disabling the remote access feature to prevent exploitation. For Provision-ISR SH-16200A-5(1U), restrict access to the /server.js file to minimize the risk of exploitation. For Provision-ISR NVR5-8200PX up to 20241220, consider disabling the affected functionality of the file /server.js until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dahua IPC-HFW1200S versions up to 20241222 Dahua IPC-HFW2300R-Z versions up to 20241222 Dahua IPC-HFW5220E-Z versions up to 20241222 Dahua IPC-HDW1200S versions up to 20241222 **Description** A vulnerability was found in the Web Interface component of the affected devices, specifically in some unknown functionality of the file ../mtd/Config/Sha1Account1. The manipulation leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Dahua IPC-HFW1200S versions up to 20241222, restrict access to the Web Interface to minimize the risk of exploitation. For Dahua IPC-HFW2300R-Z versions up to 20241222, consider disabling the `../mtd/Config/Sha1Account1` file functionality until a patch is available. For Dahua IPC-HFW5220E-Z versions up to 20241222, avoid using the vulnerable path traversal: '../filedir' in the Web Interface until the issue is resolved. For Dahua IPC-HDW1200S versions up to 20241222, as a temporary workaround, consider disabling the Web Interface until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DrayTek Vigor2960 and Vigor300B version 1.5.1.4 **Description** A critical vulnerability exists in the Web Management Interface of DrayTek Vigor2960 and Vigor300B. The issue is related to the manipulation of the `session` argument in the `/cgi-bin/mainfunction.cgi/apmcfgupload` endpoint, which leads to os command injection. This allows a remote attacker to execute arbitrary code. It is estimated that around 66,000 devices are potentially affected. The exploit has been disclosed to the public and may be used. **Recommendations** For DrayTek Vigor2960 and Vigor300B version 1.5.1.4, upgrade to version 1.5.1.5 to address this issue. As a temporary workaround, consider restricting access to the `/cgi-bin/mainfunction.cgi/apmcfgupload` endpoint to minimize the risk of exploitation. Avoid using the `session` argument in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Amcrest IP2M-841B versions up to 20241211 Amcrest IP2M-841W versions up to 20241211 Amcrest IPC-IP2M-841B versions up to 20241211 Amcrest IPC-IP3M-943B versions up to 20241211 Amcrest IPC-IP3M-943S versions up to 20241211 Amcrest IPC-IP3M-HX2B versions up to 20241211 Amcrest IPC-IPM-721S versions up to 20241211 **Description** A problematic vulnerability has been found, affecting an unknown part of the file /web caps/webCapsConfig of the component Web Interface. This leads to information disclosure and can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Amcrest IP2M-841B version up to 20241211, update to a version later than 20241211. For Amcrest IP2M-841W version up to 20241211, update to a version later than 20241211. For Amcrest IPC-IP2M-841B version up to 20241211, update to a version later than 20241211. For Amcrest IPC-IP3M-943B version up to 20241211, update to a version later than 20241211. For Amcrest IPC-IP3M-943S version up to 20241211, update to a version later than 20241211. For Amcrest IPC-IP3M-HX2B version up to 20241211, update to a version later than 20241211. For Amcrest IPC-IPM-721S version up to 20241211, update to a version later than 20241211.

**Name of the Vulnerable Software and Affected Versions** DrayTek Vigor2960 and Vigor300B versions 1.5.1.3 through 1.5.1.4 **Description** A critical issue has been found in the Web Management Interface component, affecting some unknown processing of the file /cgi-bin/mainfunction.cgi/apmcfgupptim. The manipulation of the `session` argument leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For DrayTek Vigor2960 and Vigor300B versions 1.5.1.3 through 1.5.1.4, upgrade to version 1.5.1.5 to address this issue. As a temporary workaround, consider restricting access to the vulnerable Web Management Interface component until the update is applied. Avoid using the `session` argument in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Intelbras VIP S3020 G2 versions up to 20241222 Intelbras VIP S4020 G2 versions up to 20241222 Intelbras VIP S4020 G3 versions up to 20241222 Intelbras VIP S4320 G2 versions up to 20241222 **Description** A vulnerability was found in the Web Interface component of Intelbras IP cameras, specifically affecting some unknown functionality of the file `/web caps/webCapsConfig`. The manipulation of this functionality leads to information disclosure. The attack can be launched remotely. The vendor assesses that the disclosed information is not sensitive and poses no risk to the user. **Recommendations** For Intelbras VIP S3020 G2 versions up to 20241222, restrict access to the `/web caps/webCapsConfig` file to minimize the risk of exploitation. For Intelbras VIP S4020 G2 versions up to 20241222, consider disabling the Web Interface component until a patch is available. For Intelbras VIP S4020 G3 versions up to 20241222, avoid using the Web Interface component until the issue is resolved. For Intelbras VIP S4320 G2 versions up to 20241222, limit remote access to the Web Interface component to prevent potential attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intelbras VIP S3020 G2 versions up to 20241222 Intelbras VIP S4020 G2 versions up to 20241222 Intelbras VIP S4020 G3 versions up to 20241222 Intelbras VIP S4320 G2 versions up to 20241222 **Description** A critical vulnerability was found in the Web Interface component of Intelbras VIP cameras, affecting an unknown part of the file ../mtd/Config/Sha1Account1. The manipulation leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Intelbras VIP S3020 G2 versions up to 20241222, consider disabling remote access to the Web Interface until a patch is available. For Intelbras VIP S4020 G2 versions up to 20241222, restrict access to the ../mtd/Config/Sha1Account1 file to minimize the risk of exploitation. For Intelbras VIP S4020 G3 versions up to 20241222, avoid using the Web Interface until the issue is resolved. For Intelbras VIP S4320 G2 versions up to 20241222, consider temporarily disabling the Web Interface component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L versions up to 20241028 **Description** A critical issue exists in the `cgi user add` function of the file `/cgi-bin/account mgr.cgi?cmd=cgi user add` within the affected D-Link devices. Manipulation of the argument group allows for operating system command injection. This allows a remote attacker to execute arbitrary commands on the system. The complexity of a successful attack is considered high, and while exploitation is difficult, a public exploit is available. **Recommendations** Update D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L to a version later than 20241028.

**Name of the Vulnerable Software and Affected Versions** D-Link DNS-320 versions up to 20241028 D-Link DNS-320LW versions up to 20241028 D-Link DNS-325 versions up to 20241028 D-Link DNS-340L versions up to 20241028 **Description** The issue is related to insufficient protection of service data in the /xml/info.xml file of the HTTP GET Request Handler component in D-Link DNS devices. This can be exploited by a remote attacker to disclose confidential information. The manipulation leads to information disclosure and can be initiated remotely. **Recommendations** For D-Link DNS-320 versions up to 20241028, consider restricting access to the /xml/info.xml file until a patch is available. For D-Link DNS-320LW versions up to 20241028, consider restricting access to the /xml/info.xml file until a patch is available. For D-Link DNS-325 versions up to 20241028, consider restricting access to the /xml/info.xml file until a patch is available. For D-Link DNS-340L versions up to 20241028, consider restricting access to the /xml/info.xml file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DNS-320 versions prior to 20241028 D-Link DNS-320LW versions prior to 20241028 D-Link DNS-325 versions prior to 20241028 D-Link DNS-340L versions prior to 20241028 **Description** A critical vulnerability exists in D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L devices. The issue is a command injection flaw located in the `cgi user add` function of the `/cgi-bin/account mgr.cgi?cmd=cgi user add` file. Manipulation of the `name` argument allows for the execution of arbitrary operating system commands. The attack can be launched remotely. Exploitation is considered difficult, but a public exploit is available. Approximately 61,000 devices worldwide are estimated to be affected, with exploitation attempts observed starting November 12th. The vulnerability is due to insufficient input validation of the `name` parameter, enabling attackers to inject shell commands. **Recommendations** D-Link DNS-320: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks. D-Link DNS-320LW: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks. D-Link DNS-325: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks. D-Link DNS-340L: As D-Link will not release a patch, replace the device with a supported model or restrict access from external networks.

**Name of the Vulnerable Software and Affected Versions** TVT DVR TD-2104TS-CL (affected versions not specified) DVR TD-2108TS-HP (affected versions not specified) Provision-ISR DVR SH-4050A5-5L(MM) (affected versions not specified) AVISION DVR AV108T (affected versions not specified) TD-2116TE-HP (affected versions not specified) SH-8100A-2L(MM) (affected versions not specified) **Description** The issue is related to a lack of protection for service data in hybrid HD video recorders, which can be exploited remotely to disclose protected information. The vulnerability affects the `/queryDevInfo` file and may lead to sensitive data exposure. The exploit has been disclosed to the public and can be used. **Recommendations** For TVT DVR TD-2104TS-CL, consider applying restrictive firewalling immediately to minimize the risk of exploitation. For DVR TD-2108TS-HP, consider applying restrictive firewalling immediately to minimize the risk of exploitation. For Provision-ISR DVR SH-4050A5-5L(MM), consider applying restrictive firewalling immediately to minimize the risk of exploitation. For AVISION DVR AV108T, consider applying restrictive firewalling immediately to minimize the risk of exploitation. For TD-2116TE-HP, consider applying restrictive firewalling immediately to minimize the risk of exploitation. For SH-8100A-2L(MM), consider applying restrictive firewalling immediately to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90 **Description** A critical vulnerability was found in the Web Interface component of Raisecom devices, specifically in the file list base config.php. The manipulation of the `template` argument leads to os command injection, allowing remote attackers to execute arbitrary commands. The exploit has been disclosed to the public and may be used. The vulnerability can be exploited by initiating a remote attack, potentially allowing attackers to execute arbitrary code by injecting a specially crafted curl command. **Recommendations** For Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90, as a temporary workaround, consider disabling the `list base config.php` file or restricting access to the Web Interface until a patch is available. Avoid using the `template` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Hipcam Device up to 20240511 Description: A vulnerability was found in the MAC Address Handler component of the Hipcam Device, affecting the file /log/wifi.mac. This issue leads to information disclosure and can be initiated remotely. The vendor was contacted about this disclosure but did not respond. Recommendations: For Hipcam Device up to 20240511, consider restricting access to the /log/wifi.mac file to minimize the risk of exploitation. As a temporary workaround, avoid using the MAC Address Handler component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Faraday GM8181 and GM828x up to 20240429 Description: A critical vulnerability has been found in the NTP Service component. The manipulation of the `ntp srv` argument leads to os command injection, allowing for remote attacks. The exploit has been disclosed publicly and may be used. Recommendations: For Faraday GM8181 and GM828x up to 20240429, it is recommended to upgrade the affected component to a newer version. As a temporary workaround, consider restricting access to the NTP Service component to minimize the risk of exploitation. Avoid using the `ntp srv` argument in the affected component until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Faraday GM8181 and GM828x up to 20240429 Description: A problematic issue has been found, affecting some unknown functionality of the file /command port.ini. This leads to information disclosure and can be exploited remotely. The issue has been publicly disclosed. Recommendations: For Faraday GM8181 and GM828x up to 20240429, consider restricting access to the /command port.ini file as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Faraday GM8181 and GM828x up to 20240429 Description: A problematic vulnerability was found in the Request Handler component, leading to information disclosure. The attack can be launched remotely. It is estimated that a significant number of devices may be affected, but the exact number is not specified. The exploit has been disclosed to the public and may be used. Recommendations: For Faraday GM8181 and GM828x up to 20240429, it is recommended to upgrade the affected component to a newer version. As a temporary workaround, consider restricting access to the Request Handler component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Xiongmai AHB7804R-MH-V2 Xiongmai AHB8004T-GL Xiongmai AHB8008T-GL Xiongmai AHB7004T-GS-V3 Xiongmai AHB7004T-MHV2 Xiongmai AHB8032F-LME Xiongmai XM530 R80X30-PQ 8M **Description** A critical vulnerability was found in the Sofia Service component of the affected Xiongmai devices. The issue allows for improper access controls due to the manipulation of an unknown functionality with a specific input, `ff00000000000000000000000000f103250000007b202252657422203a203130302c202253657373696f6e494422203a202230783022207d0a`. This can be exploited remotely. The exploit has been publicly disclosed. **Recommendations** For all affected devices, restrict firewall access to minimize the risk of exploitation. As a temporary workaround, consider disabling the Sofia Service component until a patch is available. Avoid using the affected devices until a fix is provided by the vendor. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keenetic KN-1010, KN-1410, KN-1711, KN-1810, and KN-1910 versions up to 4.1.2.15 **Description** A vulnerability was found in the Version Data Handler component, specifically in the /version.js file, which leads to information disclosure. The attack can be launched remotely, and the exploit has been disclosed to the public. The issue is related to insufficient protection of service data, allowing an attacker to gain unauthorized access to protected information. **Recommendations** For Keenetic KN-1010, KN-1410, KN-1711, KN-1810, and KN-1910 versions up to 4.1.2.15, consider disabling the `version.js` functionality until a patch is available. Restrict access to the Version Data Handler component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TBK DVR-4104 versions prior to 20240412 TBK DVR-4216 versions prior to 20240412 **Description** An OS command injection issue exists in TBK DVR devices due to insufficient validation of user-supplied input. Remote, unauthenticated attackers can execute arbitrary shell commands or cause a denial of service by sending a specially crafted POST request to the endpoint '/device.rsp?opt=sys&cmd= S O S T R E A MAX ' by manipulating the `mdb` and `mdc` parameters. This flaw has been actively exploited by several Mirai botnet variants, including Nexcorium and Broadside, to hijack devices for large-scale DDoS attacks and malicious traffic proxying. Over 50,000 infected devices have been detected globally, with significant activity in China, India, Russia, Egypt, Turkey, and Brazil. The Broadside variant specifically targets the maritime logistics and shipping sector, posing risks to shipboard systems and satellite communications. **Recommendations** Update the firmware for TBK DVR-4104 and TBK DVR-4216 to a version released after 20240412. Disable Telnet and restrict external access to the devices. Change all default user credentials. As a temporary workaround, restrict access to the '/device.rsp' endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Netgear DG834Gv5 version 1.6.01.34 Description: A vulnerability was found in the Web Management Interface of the Netgear DG834Gv5, which leads to cleartext storage of sensitive information. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This issue is related to the storage of critical information in an unencrypted manner, allowing a remote attacker to disclose protected information. Recommendations: For Netgear DG834Gv5 version 1.6.01.34, as a temporary workaround, consider restricting access to the Web Management Interface until a patch is available. Avoid using the Web Management Interface for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.