cbcvebase.
CVE-2021-33549
published 2021-09-13

CVE-2021-33549: Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action parameter…

PriorityP180high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.19%
99.2th percentile
Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code.

Affected

66 ranges· showing 25
VendorProductVersion rangeFixed in
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_series
geutebr_cke2_seriesEBC-21xx – 1.12.0.27
geutebr_cke2_seriesEFD-22xx – 1.12.0.27
geutebr_cke2_seriesETHC-22xx – 1.12.0.27
geutebr_cke2_seriesEWPC-22xx – 1.12.0.27
geutebr_ckencoder_g-code
geutebr_ckencoder_g-code
geutebr_ckencoder_g-code
geutebr_ckencoder_g-code
geutebr_ckencoder_g-codeEEC-2xx – 1.12.0.27
geutebr_ckencoder_g-codeEEN-20xx – 1.12.0.27
geutebrueckg-cam_ebc-2110_firmware<= 1.12.0.27
geutebrueckg-cam_ebc-2110_firmware
geutebrueckg-cam_ebc-2110_firmware
geutebrueckg-cam_ebc-2111_firmware<= 1.12.0.27
geutebrueckg-cam_ebc-2111_firmware
geutebrueckg-cam_ebc-2111_firmware
geutebrueckg-cam_ebc-2112_firmware<= 1.12.0.27

Detection & IOCsextracted from sources · hover to see the quote

path/uapi-cgi/instantrec.cgi
path/uapi-cgi/
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033311; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33545, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_05;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033312; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33545, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_07;)
  • Exploit targets the 'action' POST body parameter in any .cgi endpoint under /uapi-cgi/; a value longer than ~150 characters (no '&') is indicative of a buffer overflow attempt.
  • Exploit is delivered via HTTP POST method to URIs matching /uapi-cgi/*.cgi on the target camera device.
  • Successful exploitation results in remote code execution as the root user on affected Geutebruck devices.
  • A public Metasploit module exists for this vulnerability targeting the instantrec.cgi endpoint.
  • ·The ET Snort rules cover multiple CVEs (2021-33545, 33546, 33547, 33549) with a single signature; a match does not uniquely confirm CVE-2021-33549 specifically.
  • ·The Metasploit module targets specific firmware versions only: == 1.12.0.27, 1.12.13.2, and 1.12.14.5; other firmware versions may not be exploitable via this module.
  • ·The ET rules carry a 'confidence Low' metadata tag, meaning false positives are possible and matches should be corroborated with additional context.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.