CVE-2020-24215
published 2020-10-06CVE-2020-24215: An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can use hard-coded credentials in HTTP requests to…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.99%
97.0th percentile
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can use hard-coded credentials in HTTP requests to perform any administrative task on the device including retrieving the device's configuration (with the cleartext admin password), and uploading a custom firmware update, to ultimately achieve arbitrary code execution.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests to /get_sys endpoint using hardcoded credentials admin:neworange88888888 (Basic Auth header value: YWRtaW46bmV3b3JhbmdlODg4ODg4ODg=) ↗
- →Monitor for HTTP GET requests to /get_sys on HiSilicon-based IPTV/H.264/H.265 video encoder devices, which may indicate credential harvesting or reconnaissance ↗
- →Alert on firmware upload requests to HiSilicon-based encoder admin interfaces authenticated with the backdoor credential admin:neworange88888888, as this can lead to arbitrary code execution ↗
- ·The backdoor password 'neworange88888888' is hardcoded in the box application on HiSilicon-based devices; it is not vendor-specific and affects multiple vendors including URayTech, J-Tech Digital, and ProVideoInstruments ↗
- ·The exploit retrieves the actual admin password in cleartext from the /get_sys endpoint, meaning the real admin password may differ per device but is exposed via this backdoor ↗
- ·Version is described as vendor-specific; no single firmware version string is provided, making version-based detection unreliable across affected devices ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159601/HiSilicon-Video-Encoder-Backdoor-Password.htmlhttps://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/https://www.kb.cert.org/vuls/id/896979http://packetstormsecurity.com/files/159601/HiSilicon-Video-Encoder-Backdoor-Password.htmlhttps://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/https://www.kb.cert.org/vuls/id/896979
2020-10-06
Published