A high-severity vulnerability has been identified in multiple Vacron camera products, allowing for remote code execution. An unauthenticated attacker can exploit this flaw by sending a malicious command through the device's ping utility, potentially gaining complete control over the affected camera, leading to data breaches or further network intrusion.

This vulnerability is a command injection flaw within the web-based diagnostic utility, specifically the ping function. An attacker can craft a malicious request to the device's web interface containing an IP address or hostname followed by arbitrary shell commands (e.g., using characters like ;, |, or &&). The system fails to properly sanitize this input, executing the injected commands with the privileges of the web server process, which could be root-level on the underlying embedded Linux operating system.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could grant an attacker complete control over the affected camera system. This could lead to a severe breach of confidentiality, as attackers could view and exfiltrate live or recorded video feeds. Additionally, a compromised camera could be used as a pivot point to launch further attacks against the internal corporate network, or be co-opted into a botnet for use in Distributed Denial-of-Service (DDoS) attacks. The potential for reputational damage and data leakage presents a significant risk to the organization.

Immediate Action: Apply the security patches released by Vacron to all affected systems immediately, prioritizing any devices that are accessible from the internet. Following the patch, review system and web access logs for any signs of past exploitation attempts or unauthorized access.

Proactive Monitoring: Security teams should monitor for exploitation attempts by inspecting web server logs for requests to the ping utility that contain shell metacharacters (e.g., ;, |, &, $(), `). Monitor network traffic for unusual outbound connections from cameras to unknown destinations, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Use a firewall or Access Control Lists (ACLs) to restrict access to the camera's management interface to only trusted IP addresses and subnets.
• Place internet-facing cameras in a segregated network zone (DMZ) to prevent a compromised device from accessing the internal corporate network.
• If possible, disable the web-based diagnostic ping utility through the device's configuration settings.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the risk of remote code execution, this vulnerability poses a significant threat to the organization. It is strongly recommended that all internet-facing Vacron devices be patched immediately. For internal devices, a patching plan should be implemented based on risk and asset criticality. Although this CVE is not currently on the CISA KEV list, its potential for widespread impact means organizations must act swiftly to apply vendor patches and implement compensating controls where necessary to mitigate the risk of compromise.