Ddos 
Security researcher Yassine Damiri has uncovered two critical vulnerabilities in the Yi IOT XY-3820 smart camera, posing significant security risks. Both flaws, rated CVSS 9.8, allow unauthenticated attackers to gain full root control over the device—with minimal interaction and no authentication required.
CVE-2025-29659: Remote Command Execution
The first vulnerability, tracked as CVE-2025-29659, is a critical Remote Command Execution (RCE) flaw. It affects the cmd binary in the camera’s firmware (v6.0.24.10).
While the cmd binary is not used during normal camera operation, it can be triggered to spawn a root-level command server on TCP port 999. Once active, this server “listens indefinitely and processes commands sent over the network,” leading to “unauthenticated, root-level code execution“.
The technical analysis reveals that the cmd binary is small, around 4.3KB, and isn’t part of the camera’s default boot sequence. However, when launched, it opens TCP port 999 and waits for commands.
To exploit this vulnerability, an attacker would need to:
- Ensure the
cmdbinary is running. - Connect to the device’s port 999/tcp.
- Send the desired shell command followed by the marker
$$boundary\r\n.
For example, sending id > /tmp/PWNED$$boundary\r\n would write the output of the id command to the /tmp/PWNED file on the camera.
CVE-2025-29660: Unauthorized Command Execution
The second vulnerability, CVE-2025-29660, also presents a critical threat. This flaw lies within the camera’s embedded daemon process, which runs on TCP port 6789.
The daemon process is a core component responsible for handling communication between the main application and the web interface, as well as transmitting video feeds and processing control commands.
The vulnerability stems from the daemon’s failure to properly sanitize user-supplied input. This allows remote, unauthenticated attackers to execute arbitrary commands on the file system using path traversal techniques.
Specifically, the daemon_parse_exec function processes each TCP request sent to port 6789. While the function expects a valid path to a script, it doesn’t filter relative paths like ../. This lack of filtering enables attackers to use directory traversal to manipulate the final script execution path, which is then executed with root privileges.
To exploit this vulnerability, an attacker can send the following payload via a raw TCP connection to port 6789: 12 12 ../../../usr/bin/cmd.
This payload instructs the daemon to execute the /usr/bin/cmd binary. Successful exploitation will result in the device opening port 999, indicating that the cmd process has been launched.
Users are strongly advised to:
- Update the camera firmware to the latest version.
- Disconnect affected cameras from the internet.
- Restrict access to internal-only networks.
- Monitor for unusual outbound connections, especially on ports 6789 and 999.
Donate