Security Affairs
Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A number of vulnerabilities affect IP Enabled AirLive Cameras

A number of AirLive Cameras are affected by command injection vulnerabilities that could allow attackers to decode user credentials and control the devices. A number of IP-enabled AirLive cameras manufactured by OvisLink Corp are affected by command injection vulnerabilities that could be exploited by attackers to decode user credentials and completely control the devices. According […]

A number of vulnerabilities affect IP Enabled AirLive Cameras

A number of AirLive Cameras are affected by command injection vulnerabilities that could allow attackers to decode user credentials and control the devices.

A number of IP-enabled AirLive cameras manufactured by OvisLink Corp are affected by command injection vulnerabilities that could be exploited by attackers to decode user credentials and completely control the devices.

According to the experts at security firm Core Security, at least five different models of AirLive cameras are vulnerable. The following builds are at risk:

  • AirLive BU-2015 with firmware 1.03.18 16.06.2014
  • AirLive BU-3026 with firmware 1.43 21.08.2014
  • AirLive MD-3025 with firmware 1.81 21.08.2014
  • AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011
  • AirLive POE-200CAM v2 with firmware LM.1.6.17.01

Airlive cameras flaw

The researcher Nahuel Riva explained that the AirLive cameras MD-3025, BU-3026 and the BU-2015 are affected by a command injection vulnerability in the cgi_test.cgi binary file.

If the owner of the camera hasn’t changed the default configuration by forcing the use of HTTPs, the attackers can request the file without authentication by injecting arbitrary commands into the operating system. With such kind of attack hackers can access information managed by AirLive camera, including the MAC address, model, hardware and firmware version, along with aìother sensitive details.

“[CVE-2015-2279] There is an OS Command Injection in the cgi_test.cgi binary file in the AirLive MD-3025, BU-3026 and BU-2015 cameras when handling certain parameters. That specific CGI file can be requested without authentication, unless the user specified in the configuration of the camera that every communication should be performed over HTTPS (not enabled by default).

The vulnerable parameters are the following: write_mac, write_pid, write_msn, write_tan, write_hdv.” states the post.

The other two cameras, WL-2000CAM and POE-200CAM, also suffer similar flaws in CGI files that could allow to run a command injection flaw. Both models of AirLive cameras have hardcoded credentials that can be easily retrieved and decoded with this attack.

“[CVE-2014-8389] The AirLive WL-2000CAM anf POE-200CAM “/cgi-bin/mft/wireless_mft.cgi” binary file, has an OS command injection in the parameter ap that can be exploited using the hard-coded credentials the embedded Boa web server has inside its configuration file:

  • username: manufacture
  • password: erutcafunam

The following proof of concept copies the file where the user credentials are stored in the web server root directory:

<a href="http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/secret.passwd%20/web/html/credentials">http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/...</a>
Afterwards, the user credentials can be obtained by requesting:
<a href="http://<Camera-IP>/credentials">http://<Camera-IP>/credentials</a>

“I found these vulnerabilities by looking at the firmware,” Riva said Monday of her research, “I found that I could invoke some CGIs without authentication, and some backdoor accounts allowed me to execute arbitrary OS commands on the device.”

Core Security tried multiple times to get in touch with the manufacturer to fix the issues in the AirLive cameras, but never received a response.

Pierluigi Paganini

(Security Affairs – Core Security, AirLive cameras)