ThroughTek P2P SDK - Cleartext Transmission of Sensitive Information
CVE-2021-32934

9.1CRITICAL

Key Information:

Vendor: Throughtek
Status: P2p Sdk
Vendor: CVE Published:; 19 May 2022

What is CVE-2021-32934?

The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds.

Affected Version(s)

P2P SDK all with nossl tag

P2P SDK firmware using AVAPI module without enabling DTLS mechanism

P2P SDK firmware using P2PTunnel or RDT module

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2022
Vulnerability Reserved
May 13, 2021

Credit

Nozomi Networks reported this vulnerability to CISA.

CVE-2021-32934 Data

JSON

Throughtek

What is CVE-2021-32934?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit