Security event information 309782a115f7417e7c263d38b37bf4d2

Информация об атаке

Tag
CVE-2024-7029

Date
2025-12-10

Client IP
64.225.115.99

Client GEO
united states

Vendor
AVTECH

Product
AVM1203 IP cameras

RAW request
POST /cgi-bin/supervisor/Factory.cgi HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16 Host: blog.██████ Content-Type: application/x-www-form-urlencoded Content-Length: 70 X-Forwarded-For: █████████████ Accept-Encoding: gzip Connection: close action=white_led&brightness=$(echo%2036eAkE2LctgNYsqVCStC6miO9ux+2>&1)

RAW request

POST /cgi-bin/supervisor/Factory.cgi HTTP/1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16
Host: blog.██████
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
X-Forwarded-For: █████████████
Accept-Encoding: gzip
Connection: close

action=white_led&brightness=$(echo%2036eAkE2LctgNYsqVCStC6miO9ux+2>&1)

Description
CVE-2024-7029 is a critical vulnerability in Avtech AVM1203 IP cameras that allows for remote code execution (RCE) without the need for authentication. This vulnerability is particularly dangerous because it can be exploited over the network, enabling attackers to inject and execute commands remotely. The flaw is located in the brightness function of the camera's firmware, specifically in the "action=" parameter, which can be manipulated to execute arbitrary commands with the same privileges as the device owner. The vulnerability affects firmware versions up to and including FullImg-1023-1007-1011-1009. Despite being a known issue since 2019, Avtech has not released a patch, and the cameras have been discontinued. This leaves the devices permanently vulnerable, posing a significant risk to users. The vulnerability has been actively exploited by various malware, including the Corona Mirai-based botnet, which has been using this flaw to infect and control the cameras for malicious purposes. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories about this vulnerability, highlighting its low attack complexity and the ability to exploit it remotely. The vulnerability is being exploited in the wild, with a public Proof of Concept (PoC) available since at least 2019. The exploitation campaign has been active since early 2024, targeting critical infrastructure sectors such as commercial facilities, healthcare, financial services, and transportation systems. Given the high CVSS score of 8.8, this vulnerability is considered highly critical. The lack of a patch and the continued use of these cameras in critical infrastructure make it imperative for users to take immediate action to mitigate the risk.

Description

CVE-2024-7029 is a critical vulnerability in Avtech AVM1203 IP cameras that allows for remote code execution (RCE) without the need for authentication. This vulnerability is particularly dangerous because it can be exploited over the network, enabling attackers to inject and execute commands remotely. The flaw is located in the brightness function of the camera's firmware, specifically in the "action=" parameter, which can be manipulated to execute arbitrary commands with the same privileges as the device owner.
The vulnerability affects firmware versions up to and including FullImg-1023-1007-1011-1009. Despite being a known issue since 2019, Avtech has not released a patch, and the cameras have been discontinued. This leaves the devices permanently vulnerable, posing a significant risk to users. The vulnerability has been actively exploited by various malware, including the Corona Mirai-based botnet, which has been using this flaw to infect and control the cameras for malicious purposes.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories about this vulnerability, highlighting its low attack complexity and the ability to exploit it remotely. The vulnerability is being exploited in the wild, with a public Proof of Concept (PoC) available since at least 2019. The exploitation campaign has been active since early 2024, targeting critical infrastructure sectors such as commercial facilities, healthcare, financial services, and transportation systems.
Given the high CVSS score of 8.8, this vulnerability is considered highly critical. The lack of a patch and the continued use of these cameras in critical infrastructure make it imperative for users to take immediate action to mitigate the risk.

Mitigations
Network Segmentation: Isolate the vulnerable cameras from the rest of the network to limit potential damage. Firewall Rules: Implement strict firewall rules to block unauthorized access to the cameras. Disable Unused Services: Turn off any services on the cameras that are not in use to reduce the attack surface. Monitor Network Traffic: Continuously monitor network traffic for any unusual activity that may indicate an attempted exploitation. Replace Vulnerable Devices: Consider replacing the discontinued and unpatchable AVTECH AVM1203 cameras with newer, supported models that receive regular security updates. Vendor Communication: Reach out to Avtech for any potential unofficial patches or additional guidance on securing the devices.

Mitigations


Network Segmentation: Isolate the vulnerable cameras from the rest of the network to limit potential damage.
Firewall Rules: Implement strict firewall rules to block unauthorized access to the cameras.
Disable Unused Services: Turn off any services on the cameras that are not in use to reduce the attack surface.
Monitor Network Traffic: Continuously monitor network traffic for any unusual activity that may indicate an attempted exploitation.
Replace Vulnerable Devices: Consider replacing the discontinued and unpatchable AVTECH AVM1203 cameras with newer, supported models that receive regular security updates.
Vendor Communication: Reach out to Avtech for any potential unofficial patches or additional guidance on securing the devices.

Links
https://arstechnica.com/security/2024/08/unpatchable-0-day-in-surveillance-cam-is-being-exploited-to-install-mirai/ https://attackerkb.com/topics/klY0TwDSd5/cve-2024-7029 https://censys.com/cve-2024-7029/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-7029 https://cybersecuritynews.com/corona-mirai-rce-zero-day-exploit/ https://nvd.nist.gov/vuln/detail/CVE-2024-7029 https://nvd.nist.gov/vuln/detail/CVE-2024-7029?utm_source=https://zoost.ai/ https://thehackernews.com/2024/08/unpatched-avtech-ip-camera-flaw.html https://vulners.com/cve/CVE-2024-7029 https://www.bleepingcomputer.com/news/security/malware-exploits-5-year-old-zero-day-to-infect-end-of-life-ip-cameras/ https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-07 https://www.cvedetails.com/cve/CVE-2024-7029/ https://www.tenable.com/cve/CVE-2024-7029 https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/

Links

https://arstechnica.com/security/2024/08/unpatchable-0-day-in-surveillance-cam-is-being-exploited-to-install-mirai/
https://attackerkb.com/topics/klY0TwDSd5/cve-2024-7029
https://censys.com/cve-2024-7029/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-7029
https://cybersecuritynews.com/corona-mirai-rce-zero-day-exploit/
https://nvd.nist.gov/vuln/detail/CVE-2024-7029
https://nvd.nist.gov/vuln/detail/CVE-2024-7029?utm_source=https://zoost.ai/
https://thehackernews.com/2024/08/unpatched-avtech-ip-camera-flaw.html
https://vulners.com/cve/CVE-2024-7029
https://www.bleepingcomputer.com/news/security/malware-exploits-5-year-old-zero-day-to-infect-end-of-life-ip-cameras/
https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-07
https://www.cvedetails.com/cve/CVE-2024-7029/
https://www.tenable.com/cve/CVE-2024-7029
https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/

Community

Contacts

Cloud

Sattelite

Информация об атаке

Engine

Sattelite

Radar

Cloud

Blog

Community

Контакты