CVE-2024-42531 (CVSS 9.8): Ezviz Camera Flaw Exposes Live Feeds to Unauthenticated Access
A critical vulnerability, identified as CVE-2024-42531 and rated with a CVSS score of 9.8 (Critical), has been discovered in the Ezviz Internet PT Camera CS-CV246. This flaw enables unauthorized individuals to access the camera’s live video stream remotely without requiring any authentication.
Researchers have determined that attackers can exploit this vulnerability by constructing a set of specially crafted RTSP (Real-Time Streaming Protocol) packets with specific URLs. These malicious packets can effectively hijack the camera’s feed, granting the attacker unauthorized viewing access.
RTSP is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. By exploiting this protocol with specially crafted URLs, the attacker can bypass the camera’s security controls and view its live video stream, which could potentially lead to severe privacy breaches.
The implications of CVE-2024-42531 are significant, particularly for users who rely on these cameras for security and surveillance. Unauthorized access to live video feeds could allow attackers to monitor activities, gather sensitive information, and even plan physical breaches of security. The ability to hijack a camera’s feed without any authentication raises serious concerns about the overall security of the affected devices.
The affected version, Ezviz Internet PT Camera (Model: CS-CV246) (B0-1C1WFR) with Serial Number: D15655150 and Version: V5.3.0 build 191225, is particularly susceptible to this exploit. Users with this camera model are strongly urged to take immediate action to protect their privacy and security.
