CVE-2020-5735
published 2020-04-08CVE-2020-5735: Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777. An authenticated remote attacker can abuse this issue to crash the…
PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
35.64%
98.3th percentile
Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777. An authenticated remote attacker can abuse this issue to crash the device and possibly execute arbitrary code.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amcrest | ip2m-841-v3_firmware | < v2.800.0000000.6.r.200314 | v2.800.0000000.6.r.200314 |
| amcrest | ip2m-841_firmware | < v2.420.ac00.18.r.20200217 | v2.420.ac00.18.r.20200217 |
| amcrest | ip2m-853ew_firmware | < v2.623.00ac004.0.r.200316 | v2.623.00ac004.0.r.200316 |
| amcrest | ip2m-858w_firmware | < v2.623.00ac004.0.r.200316 | v2.623.00ac004.0.r.200316 |
| amcrest | ip2m-866ew_firmware | < v2.623.00ac004.0.r.200316 | v2.623.00ac004.0.r.200316 |
| amcrest | ip2m-866w_firmware | < v2.623.00ac004.0.r.200316 | v2.623.00ac004.0.r.200316 |
| amcrest | ip4m-1053ew_firmware | < v2.623.00ac004.0.r.200316 | v2.623.00ac004.0.r.200316 |
| amcrest | ip8m-2454ew_firmware | < v2.622.00ac000.0.r.200320 | v2.622.00ac000.0.r.200320 |
| amcrest | ip8m-2493eb_firmware | < v2.622.00ac000.0.r.200320 | v2.622.00ac000.0.r.200320 |
| amcrest | ip8m-2496eb_firmware | < v2.622.00ac000.0.r.200320 | v2.622.00ac000.0.r.200320 |
| amcrest | ip8m-2597e_firmware | < v2.800.00ac000.0.r.200330 | v2.800.00ac000.0.r.200330 |
| amcrest | ip8m-mb2546ew_firmware | < v2.622.00ac000.0.r.200320 | v2.622.00ac000.0.r.200320 |
| amcrest | ip8m-mt2544ew_firmware | < v2.622.00ac000.0.r.200320 | v2.622.00ac000.0.r.200320 |
| amcrest | ip8m-t2499ew_firmware | < v2.622.00ac000.0.r.200320 | v2.622.00ac000.0.r.200320 |
| amcrest | ipm-721_firmware | < v2.420.ac00.18.r.20200217 | v2.420.ac00.18.r.20200217 |
| amcrest | ipm-hx1_firmware | < v2.420.ac00.18.r.20200217 | v2.420.ac00.18.r.20200217 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
|62 00 00 00| followed by 'Protocol: ' + 0x300 bytes
snort
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 37777 (msg:"ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)"; flow:established,to_server; http.cookie; content:"|62 00 00 00|"; startswith; content:"Protocol|3a 20|"; distance:0; fast_pattern; content:"|0d 0a|"; distance:200; reference:url,www.exploit-db.com/exploits/48304; reference:cve,2016-4437; reference:cve,2020-5735; classtype:attempted-admin; sid:2034257; rev:2; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_5735, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Monitor TCP port 37777 for connections containing the byte sequence 0x62 0x00 0x00 0x00 followed by 'Protocol: ' with a payload distance >200 bytes before CRLF — this matches the CVE-2020-5735 exploit pattern. ↗
- →The exploit uses a proprietary login sequence over port 37777 (not HTTP) with no brute-force lockout; repeated authentication attempts on TCP/37777 that would be blocked on HTTP may indicate credential stuffing or pre-exploitation reconnaissance. ↗
- →Approximately 1.3 million hosts expose TCP/37777 on the internet (Shodan); prioritize blocking or monitoring external access to this port on Amcrest/Dahua devices. ↗
- →The exploit payload uses command byte 0x62 with subcommand 0x04 to trigger DDNS test logic; look for these specific command/subcommand bytes in TCP/37777 traffic as a high-fidelity indicator. ↗
- →Device crash/reboot following traffic on TCP/37777 may indicate exploitation attempt; monitor for unexpected reboots on Amcrest/Dahua camera or NVR devices. ↗
- ·Authentication is required for exploitation over port 37777, but the port has no brute-force lockout unlike the HTTP interface, making credential attacks a viable pre-exploitation step. ↗
- ·The Snort/ET rule uses the 'http.cookie' sticky buffer, which may require tuning depending on whether the sensor is inspecting raw TCP on port 37777 vs. HTTP traffic. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.0HIGHAV:N/AC:L/Au:S/C:P/I:P/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q9mh-3fx2-4gj3: Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777
ghsa_unreviewed·2022-05-24
CVE-2020-5735 [HIGH] CWE-121 GHSA-q9mh-3fx2-4gj3: Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777
Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777. An authenticated remote attacker can abuse this issue to crash the device and possibly execute arbitrary code.
VulnCheck
Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability
vulncheck·2020·CVSS 8.8
CVE-2020-5735 [HIGH] CWE-121 Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability
Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability
Amcrest cameras and NVR contain a stack-based buffer overflow vulnerability through port 37777 that allows an unauthenticated, remote attacker to crash the device and possibly execute code.
Affected: Amcrest Cameras and Network Video Recorder (NVR)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
CISA
Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2020-5735 [HIGH] CWE-121 Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability
Vulnerability: Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability
Affected: Amcrest Cameras and Network Video Recorder (NVR)
Amcrest cameras and NVR contain a stack-based buffer overflow vulnerability through port 37777 that allows an unauthenticated, remote attacker to crash the device and possibly execute code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-5735
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)
suricata·2021-10-27·CVSS 8.8
CVE-2016-4437 [HIGH] ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)
ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)
Rule: alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 37777 (msg:"ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)"; flow:established,to_server; http.cookie; content:"|62 00 00 00|"; startswith; content:"Protocol|3a 20|"; distance:0; fast_pattern; content:"|0d 0a|"; distance:200; reference:url,www.exploit-db.com/exploits/48304; reference:cve,2016-4437; reference:cve,2020-5735; classtype:attempted-admin; sid:2034257; rev:2; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_5735, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_t
http://packetstormsecurity.com/files/157164/Amcrest-Dahua-NVR-Camera-IP2M-841-Denial-Of-Service.htmlhttps://www.tenable.com/security/research/tra-2020-20http://packetstormsecurity.com/files/157164/Amcrest-Dahua-NVR-Camera-IP2M-841-Denial-Of-Service.htmlhttps://www.tenable.com/security/research/tra-2020-20https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5735
2020-04-08
Published
2021-11-03
Added to CISA KEV
Exploited in the wild