CVE-2026-5386

The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings...

KMW CCTV Security Cameras

ADVISORY SUMMARY Successful exploitation of this vulnerability may grant full unauthorized access to camera feeds and settings. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all...

Apeman Cameras

RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to take control of the device or view camera feeds. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize...

Hobby coder accidentally creates vacuum robot army

Sammy Azdoufal wanted to steer his robot vacuum with a PS5 controller. Like any good maker, he thought it would be fun to drive a new DJI Romo around manually. He ended up gaining access to an army of robotic cleaners that gave him eyes into thousands of homes. Driven by purely playful reasons,...

CVE-2025-3653

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device contro...

CVE-2025-3653 Petlibro Smart Pet Feeder through 1.7.31 Platform Improper Access Control via API endpoint

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device contro...

CVE-2025-12636 Ubia Ubox

The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. The attacker would then be able to gain unauthorized access to available cameras, enabling the viewing of live feeds or modification of settings...

A week in security (June 23 – June 29)

Last week on Malwarebytes Labs: Gmail’s multi-factor authentication bypassed by hackers to pull off targeted attacks Thousands of private camera feeds found online. Make sure yours isn’t one of them Sextortion email scammers increase their "Hello pervert" money demands Many data brokers are faili...

CVE-2021-32934

The affected ThroughTek P2P products SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module do not sufficiently protect data...

Design/Logic Flaw

The affected ThroughTek P2P products SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module do not sufficiently protect data...

CVE-2021-32934 ThroughTek P2P SDK - Cleartext Transmission of Sensitive Information

The affected ThroughTek P2P products SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module do not sufficiently protect data...

CVE-2021-32934

Summary of CVE-2021-32934 : Affects ThroughTek P2P SDKs (versions ≤ 3.1.5, any nossl-tag builds) and certain firmware configurations (no AuthKey for IOTC, AVAPI without DTLS, P2PTunnel/RDT) where data between the local device and ThroughTek servers is not properly protected. This results in clear...

Bugs in Wyze Cams Could Let Attackers Takeover Devices and Access Video Feeds

Three security vulnerabilities have been disclosed in the popular Wyze Cam devices that grant malicious actors to execute arbitrary code and access camera feeds as well as unauthorizedly read the SD cards, the latter of which remained unresolved for nearly three years after the initial discovery...

ThroughTek P2P SDK

1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: ThroughTek Equipment: P2P SDK Vulnerability: Cleartext Transmission of Sensitive Information 2. RISK EVALUATION ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P...

CVE-2020-25169

The affected Reolink P2P products do not sufficiently protect data transferred between the local device and Reolink servers. This can allow an attacker to access sensitive information, such as camera feeds...

Information disclosure

The affected Reolink P2P products do not sufficiently protect data transferred between the local device and Reolink servers. This can allow an attacker to access sensitive information, such as camera feeds...

CVE-2018-19864

NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows remote attackers to execute arbitrary code or cause a denial of service buffer overflow, resulting in ability to read camera feeds or reconfigure the device...

CVE-2018-19864

NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows remote attackers to execute arbitrary code or cause a denial of service buffer overflow, resulting in ability to read camera feeds or reconfigure the device...

Buffer overflow

NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows remote attackers to execute arbitrary code or cause a denial of service buffer overflow, resulting in ability to read camera feeds or reconfigure the device...

CVE-2018-19864

NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows remote attackers to execute arbitrary code or cause a denial of service buffer overflow, resulting in ability to read camera feeds or reconfigure the device...