Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in Smartwares cameras
06 March 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2024-13892
Publication date 06 March 2025
Vendor Smartwares
Product CIP-37210AT and C724IP
Vulnerable versions All through 3.3.0
Vulnerability type (CWE) Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Report source Report to CERT Polska
CVE ID CVE-2024-13893
Publication date 06 March 2025
Vendor Smartwares
Product CIP-37210AT and C724IP
Vulnerable versions All through 3.3.0
Vulnerability type (CWE) Use of Default Credentials (CWE-1392)
Report source Report to CERT Polska
CVE ID CVE-2024-13894
Publication date 06 March 2025
Vendor Smartwares
Product CIP-37210AT and C724IP
Vulnerable versions All through 3.3.0
Vulnerability type (CWE) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in firmware of Smartwares CIP-37210AT and C724IP cameras and participated in coordination of their disclosure.

The vulnerability CVE-2024-13892: During the initialization process, a user has to use a mobile app to provide devices with Access Point credentials. This input is not properly sanitized, what allows for command injection.

The vulnerability CVE-2024-13893: Affected devices share same credentials for telnet service. Hash of the password can be retrieved through physical access to SPI connected memory. For the telnet service to be enabled, the inserted SD card needs to have a folder with a specific name created.  Groups of devices and firmware ranges in which the same password is shared remains unknown as the vendor has not replied to our report.

The vulnerability CVE-2024-13894: When an affected device is connected to a mobile app, it opens a port 10000 enabling a user to download pictures shot at specific moments by providing paths to the files. However, the directories to which a user has access are not limited, allowing for path traversal attacks and downloading sensitive information.

The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be still vulnerable, as well other products that share the same firmware (only CIP-37210AT and C724IP cameras were tested).

Credits

We thank Michał Majchrowicz and Marcin Wyczechowski from Afine Team for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.