CVE-2026-15680
Lorex · 2K Indoor Wi-Fi Security Camera
The Lorex 2K Indoor Wi-Fi Security Camera is vulnerable to a format string flaw in CDeviceOperator, which could allow an unauthenticated attacker to execute arbitrary code remotely.
Executive summary
A remote code execution vulnerability in the Lorex 2K Indoor Wi-Fi Security Camera poses a critical risk to device integrity and network security.
Vulnerability
The device suffers from a CWE-134 Format String vulnerability within the CDeviceOperator component. This flaw allows an unauthenticated attacker to inject malicious format specifiers to corrupt memory and execute arbitrary code on the affected camera.
Business impact
Successful exploitation of this vulnerability could lead to a full system compromise, allowing attackers to gain unauthorized access to camera feeds, exfiltrate sensitive data, or pivot into the internal network. With a CVSS score of 7.5, this high-severity vulnerability represents a significant risk to operational security and user privacy, especially for devices deployed in sensitive environments.
Remediation
Immediate Action: Contact the vendor immediately to obtain firmware updates that address this format string vulnerability. If no patch is currently available, isolate the device from public internet access.
Proactive Monitoring: Review network traffic logs for anomalous inbound requests directed toward the camera’s management interface.
Compensating Controls: Implement strict network segmentation and place the camera behind a firewall that restricts access to only trusted management IP addresses.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the high CVSS score and the nature of the vulnerability, organizations should prioritize the security of these cameras. If firmware updates are unavailable, the most effective mitigation is to disconnect the device from the internet until a vendor-supplied patch is applied.