CVE-2025-34042

Name of the Vulnerable Software and Affected Versions Beward N100 IP Camera version M2.1.6.04C014

Description An authenticated command injection issue exists in the Beward N100 IP Camera firmware. An attacker with web interface access can inject arbitrary system commands through the ServerName and TimeZone parameters in the servetest CGI page. These parameters are unsafely incorporated into backend system calls without sufficient input validation. Successful exploitation can lead to remote code execution with root privileges. The Shadowserver Foundation observed exploitation evidence on 2024-12-02 UTC. The vulnerable component is the servetest CGI page, specifically the handling of the ServerName and TimeZone parameters.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the servetest CGI page to minimize the risk of exploitation.