CVE-2024-7029

Commands can be injected over the network and executed without authentication.

Recent assessments:

ccondon-r7 at September 17, 2024 11:39pm UTC reported:

TL;DR: Unpatched command injection vulnerability in an end-of-life IP camera, being exploited to drop a Mirai botnet malware variant. Public PoC since 2019, no CVE assignment until 2024. It’d be awfully helpful if the description of this CVE included the apparent names of the affected vendor and product — respectively, AVTECH SECURITY Corporation and AVTECH IP Camera.

Akamai’s Aline Eliovich discovered this 0day independently after Akamai detected in-the-wild exploitation dating back to March 2024. Per their great blog, “analysis showed activity for this variant as early as December 2023. The proof of concept (PoC) for CVE-2024-7029 has been publicly available since at least 2019, but it never had a proper CVE assignment until August 2024.” Censys also has a write-up here with good historical background.

CISA published an ICS alert for this issue in August 2024 noting that successful exploitation allows an attacker to inject and execute commands as the owner of the running process. The CISA alert mentions that “it is suspected that prior versions of other IP cameras and NVR (network video recorder) products are also affected: AVM1203: firmware version FullImg-1023-1007-1011-1009 and prior.” The vulnerability is not on CISA KEV as of September 17, 2024 (potentially because there’s no fix and therefore nothing to mandate of KEV-bound teams).

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0