cbcvebase.
CVE-2020-5735
published 2020-04-08

CVE-2020-5735: Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777. An authenticated remote attacker can abuse this issue to crash the…

PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
35.64%
98.3th percentile
Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777. An authenticated remote attacker can abuse this issue to crash the device and possibly execute arbitrary code.

Affected

16 ranges
VendorProductVersion rangeFixed in
amcrestip2m-841-v3_firmware< v2.800.0000000.6.r.200314v2.800.0000000.6.r.200314
amcrestip2m-841_firmware< v2.420.ac00.18.r.20200217v2.420.ac00.18.r.20200217
amcrestip2m-853ew_firmware< v2.623.00ac004.0.r.200316v2.623.00ac004.0.r.200316
amcrestip2m-858w_firmware< v2.623.00ac004.0.r.200316v2.623.00ac004.0.r.200316
amcrestip2m-866ew_firmware< v2.623.00ac004.0.r.200316v2.623.00ac004.0.r.200316
amcrestip2m-866w_firmware< v2.623.00ac004.0.r.200316v2.623.00ac004.0.r.200316
amcrestip4m-1053ew_firmware< v2.623.00ac004.0.r.200316v2.623.00ac004.0.r.200316
amcrestip8m-2454ew_firmware< v2.622.00ac000.0.r.200320v2.622.00ac000.0.r.200320
amcrestip8m-2493eb_firmware< v2.622.00ac000.0.r.200320v2.622.00ac000.0.r.200320
amcrestip8m-2496eb_firmware< v2.622.00ac000.0.r.200320v2.622.00ac000.0.r.200320
amcrestip8m-2597e_firmware< v2.800.00ac000.0.r.200330v2.800.00ac000.0.r.200330
amcrestip8m-mb2546ew_firmware< v2.622.00ac000.0.r.200320v2.622.00ac000.0.r.200320
amcrestip8m-mt2544ew_firmware< v2.622.00ac000.0.r.200320v2.622.00ac000.0.r.200320
amcrestip8m-t2499ew_firmware< v2.622.00ac000.0.r.200320v2.622.00ac000.0.r.200320
amcrestipm-721_firmware< v2.420.ac00.18.r.20200217v2.420.ac00.18.r.20200217
amcrestipm-hx1_firmware< v2.420.ac00.18.r.20200217v2.420.ac00.18.r.20200217

Detection & IOCsextracted from sources · hover to see the quote

port37777
commandcommand 0x62 subcommand 0x04 (DDNS test with oversized Protocol field)
bytes
|62 00 00 00| followed by 'Protocol: ' + 0x300 bytes
snort
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 37777 (msg:"ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)"; flow:established,to_server; http.cookie; content:"|62 00 00 00|"; startswith; content:"Protocol|3a 20|"; distance:0; fast_pattern; content:"|0d 0a|"; distance:200; reference:url,www.exploit-db.com/exploits/48304; reference:cve,2016-4437; reference:cve,2020-5735; classtype:attempted-admin; sid:2034257; rev:2; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_5735, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Monitor TCP port 37777 for connections containing the byte sequence 0x62 0x00 0x00 0x00 followed by 'Protocol: ' with a payload distance >200 bytes before CRLF — this matches the CVE-2020-5735 exploit pattern.
  • The exploit uses a proprietary login sequence over port 37777 (not HTTP) with no brute-force lockout; repeated authentication attempts on TCP/37777 that would be blocked on HTTP may indicate credential stuffing or pre-exploitation reconnaissance.
  • Approximately 1.3 million hosts expose TCP/37777 on the internet (Shodan); prioritize blocking or monitoring external access to this port on Amcrest/Dahua devices.
  • The exploit payload uses command byte 0x62 with subcommand 0x04 to trigger DDNS test logic; look for these specific command/subcommand bytes in TCP/37777 traffic as a high-fidelity indicator.
  • Device crash/reboot following traffic on TCP/37777 may indicate exploitation attempt; monitor for unexpected reboots on Amcrest/Dahua camera or NVR devices.
  • ·Authentication is required for exploitation over port 37777, but the port has no brute-force lockout unlike the HTTP interface, making credential attacks a viable pre-exploitation step.
  • ·The Snort/ET rule uses the 'http.cookie' sticky buffer, which may require tuning depending on whether the sensor is inspecting raw TCP on port 37777 vs. HTTP traffic.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.0HIGHAV:N/AC:L/Au:S/C:P/I:P/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.