A critical vulnerability has been identified in multiple Akuvox Smart Intercom products, allowing unauthenticated remote attackers to access live video streams. This flaw, tracked as CVE-2024-58336, poses a significant risk to physical security and privacy by enabling unauthorized surveillance of sensitive areas without requiring any credentials. Immediate patching is required to prevent potential exploitation and protect sensitive video data.

This vulnerability is an instance of Broken Access Control. The video.cgi endpoint, which serves the device's live video stream, is exposed on TCP port 8080 without any authentication mechanism. A remote attacker can exploit this by sending a direct HTTP request to this endpoint, and the device will return the video stream data without verifying the user's identity or authorization, granting unauthorized access to the camera feed.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to a severe breach of physical security and personal privacy, as attackers could monitor building entrances, secure areas, or private residences in real-time. This exposure creates significant risks, including corporate espionage, targeted theft, stalking, and reputational damage. The organization could also face legal and regulatory consequences related to privacy violations if sensitive areas are exposed.

Immediate Action: The primary remediation is to apply the vendor-supplied security patch immediately. Organizations must identify all affected Akuvox devices and update them to the latest firmware version that addresses this vulnerability. After patching, review access logs for any signs of past exploitation.

Proactive Monitoring: Security teams should actively monitor network traffic for suspicious requests to TCP port 8080 on Akuvox devices, specifically looking for access attempts to the /video.cgi endpoint from untrusted or external IP addresses. Configure alerts for unusual traffic patterns or repeated connections to this port and endpoint.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Use a firewall to restrict all access to TCP port 8080 from external networks.
• If remote access is required, place the device behind a VPN or a reverse proxy that enforces strong authentication.
• Segment the network to isolate the intercom devices from critical internal systems and the public internet.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the severe impact on physical security and privacy, this vulnerability requires immediate attention. The top priority is to apply the vendor patch to all affected Akuvox devices without delay. Although this CVE is not currently listed on the CISA KEV list, its high severity and ease of exploitation warrant treating it with the same urgency. If patching is delayed for any reason, compensating controls such as firewall restrictions must be implemented immediately to mitigate the risk of unauthorized surveillance.