Insufficient Camera Ownership Verification in Amcrest IPM-721S Devices
CVE-2017-8228

8.8HIGH

Key Information:

Vendor

Amcrest

Status
Ipm-721s Firmware
Vendor
CVE Published:
3 July 2019

What is CVE-2017-8228?

Amcrest IPM-721S devices exhibit a vulnerability that allows an attacker to add a camera to their Amcrest cloud account without proper ownership verification. This issue arises when the devices are rebooted within the last two hours, enabling a user who knows the camera's serial number to claim ownership. If the camera is not currently tied to an account, or if it has recently been removed from one, the attacker can gain complete control over the camera, including the ability to view live feeds, adjust settings, and deactivate it without the legitimate user's awareness. This risk is particularly concerning for cameras purchased online, as they may frequently be in this vulnerable state.

References

https://seclists.org/bugtraq/2019/Jun/8
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/153224/Amcrest-IPM-7...
x_refsource_MISC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/ma...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.