A critical remote code execution vulnerability has been identified in multiple INSTAR camera products. An unauthenticated attacker can exploit this flaw over the network by sending a specially crafted request, potentially gaining complete control of the affected device. Successful exploitation could result in a total loss of confidentiality, integrity, and availability of the camera and the network segment it resides on.

The vulnerability is a buffer overflow within the fcgi_server component, specifically in the base64_decode function. An unauthenticated remote attacker can send a malicious HTTP request containing a specially crafted, overly long string in the Authorization header. The server fails to properly validate the length of this input before processing it, leading to a buffer overflow which can be leveraged to execute arbitrary code with the privileges of the server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe business impact, granting an attacker complete control over compromised cameras. This poses significant risks, including the compromise of sensitive information through eavesdropping on video and audio feeds, manipulation or deletion of surveillance footage, and using the compromised cameras as a pivot point to launch further attacks against the internal network. Additionally, compromised devices could be co-opted into a botnet for use in large-scale DDoS attacks, impacting network performance and organizational reputation.

Immediate Action: Update the firmware of all affected INSTAR camera models to the latest version provided by the vendor. After updating, verify that the patch has been successfully applied and the device is operating correctly.

Proactive Monitoring: Monitor web server logs on the devices for requests containing abnormally long or malformed Authorization headers. Implement network monitoring to detect unusual outbound traffic from the cameras, which could indicate a compromise and communication with a command-and-control (C2) server.

Compensating Controls: If patching is not immediately possible, restrict network access to the camera's management interface to a limited set of trusted IP addresses. If exposed to the internet, place the device behind a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) with rules to detect and block buffer overflow attempts, specifically targeting malformed Authorization headers.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization and requires immediate action. The highest priority should be to identify all affected INSTAR devices and apply the vendor-supplied firmware update without delay. Although this CVE is not currently listed on the CISA KEV catalog, its critical severity warrants treating it with the same level of urgency. Any devices that cannot be patched must be isolated from all untrusted networks or decommissioned to mitigate the risk of compromise.