cbcvebase.
CVE-2016-7834
published 2017-04-13

CVE-2016-7834: SONY SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520…

PriorityP355high8.8CVSS 3.0
AVAACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.90%
89.0th percentile
SONY SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C network cameras with firmware before Ver.1.86.00 and SONY SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL network cameras with firmware before Ver.2.7.2 are prone to sensitive information disclosure. This may allow an attacker on the same local network segment to login to the device with administrative privileges and perform operations on the device.

Affected

2 ranges
VendorProductVersion rangeFixed in
sonysnc_series_firmware<= 1.8.5.00
sonysnc_series_firmware<= 2.7.0

Detection & IOCsextracted from sources · hover to see the quote

url/command/prima-factory.cgi
otherAuthorization: Bearer cHJpbWFuYTpwcmltYW5h
cookiecHJpbWFuYTpwcmltYW5h
  • Send a GET request to /command/prima-factory.cgi with the hardcoded Bearer token cHJpbWFuYTpwcmltYW5h (base64 for 'primana:primana'). A 204 HTTP status response combined with a 'gen5th' or 'gen6th' string in the response header confirms the backdoor account is active.
  • Response header containing 'gen5th' or 'gen6th' is a strong indicator of a vulnerable Sony IPELA Engine IP camera with the hardcoded backdoor account.
  • The vulnerability involves a hardcoded credential backdoor accessible via HTTP and also associated with telnet on Sony SNC-series cameras. Monitor for unauthorized access attempts using the 'primana' account.
  • Attack vector is adjacent network (AV:A); restrict lateral access to Sony SNC camera management interfaces on the local network segment to limit exposure.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.03.3LOWAV:A/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.