cbcvebase.
CVE-2019-7315
published 2019-06-17

CVE-2019-7315: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.x are vulnerable to directory traversal via the web interface, as demonstrated…

PriorityP261high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.20%
95.4th percentile
Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.x are vulnerable to directory traversal via the web interface, as demonstrated by reading /etc/shadow. NOTE: this product is discontinued, and its final firmware version has this vulnerability (4.x versions exist only for other Genie Access products).

Affected

1 ranges
VendorProductVersion rangeFixed in
genieaccesswip3bvaf_firmware<= 3.0

Detection & IOCsextracted from sources · hover to see the quote

path/../../../../../etc/passwd
path/etc/shadow
yara
regex: root:.*:0:0:
  • Send an unauthenticated HTTP GET request to the camera web interface using a path traversal sequence (/../../../../../etc/passwd) and check the response body for the regex pattern 'root:.*:0:0:' with HTTP 200 status.
  • Vulnerability is exploitable with no authentication (PR:N, UI:N) over the network (AV:N) against Genie Access WIP3BVAF devices running firmware through version 3.x.
  • ·This product is discontinued; the final firmware version (3.x) is vulnerable. Version 4.x exists only for other Genie Access products, not this specific device.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.