Unauthenticated Configuration Disclosure in Astak Security Cameras
CVE-2020-36873

8.7HIGH

Key Information:

Vendor: Astak
Status: Cm-818t3 2.4ghz Wireless Security Surveillance Camera
Vendor: CVE Published:; 26 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2020-36873?

Astak CM-818T3 2.4GHz wireless security surveillance cameras have a vulnerability that allows remote attackers to access sensitive configuration files via the /web/cgi-bin/hi3510/backup.cgi endpoint without requiring authentication. This exploit enables unauthorized users to download a configuration backup, potentially revealing administrative credentials and critical settings. Such information can lead to further attacks on the device or the broader connected network, raising significant concerns about user privacy and security.

Affected Version(s)

CM-818T3 2.4GHz Wireless Security Surveillance Camera 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-36873 - Proof of Concept

References

https://packetstorm.news/files/id/156532/

exploit

https://www.vulncheck.com/advisories/astak-cm818t3-unauth...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 26, 2025
👾
Exploit known to exist
Nov 26, 2025
Vulnerability published
Nov 26, 2025
Vulnerability Reserved
Oct 30, 2025

Credit

Todor Donev

JSON