CVE-2024-35341

Name of the Vulnerable Software and Affected Versions Anpviz products versions 3.2.2.2 and lower

Description The issue allows unauthenticated users to download the running configuration of the device via a HTTP GET request to "/ConfigFile.ini" or "/config.xml" URIs. This configuration file contains usernames and encrypted passwords, which are encrypted with a hardcoded key common to all devices.

Recommendations For Anpviz products versions 3.2.2.2 and lower, consider restricting access to the "/ConfigFile.ini" and "/config.xml" URIs to prevent unauthenticated users from downloading the configuration file until a patch is available. As a temporary workaround, limit access to the device's configuration to authorized personnel only.