CVE-2023-39435
published 2023-11-08CVE-2023-39435: Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 are vulnerable to…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.23%
65.1th percentile
Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220,
CB6231, B8520, B8220, and CD321 IP Cameras
with firmware version M2.1.6.05 are
vulnerable to stack-based overflows. During the process of updating
certain settings sent from incoming network requests, the product does
not sufficiently check or validate allocated buffer size. This may lead
to remote code execution.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zavio | b8220_firmware | — | — |
| zavio | b8520_firmware | — | — |
| zavio | cb3211_firmware | — | — |
| zavio | cb3212_firmware | — | — |
| zavio | cb5220_firmware | — | — |
| zavio | cb6231_firmware | — | — |
| zavio | cd321_firmware | — | — |
| zavio | cf7201_firmware | — | — |
| zavio | cf7300_firmware | — | — |
| zavio | cf7500_firmware | — | — |
| zavio | cf7501_firmware | — | — |
| zavio | ip_camera_b8220 | — | — |
| zavio | ip_camera_b8520 | — | — |
| zavio | ip_camera_cb3211 | — | — |
| zavio | ip_camera_cb3212 | — | — |
| zavio | ip_camera_cb5220 | — | — |
| zavio | ip_camera_cb6231 | — | — |
| zavio | ip_camera_cd321 | — | — |
| zavio | ip_camera_cf7201 | — | — |
| zavio | ip_camera_cf7300 | — | — |
| zavio | ip_camera_cf7500 | — | — |
| zavio | ip_camera_cf7501 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: stack-based buffer overflow occurs during processing of settings updates sent via incoming network requests — monitor for anomalously large or malformed network payloads directed at Zavio IP camera management interfaces ↗
- →Affected firmware version M2.1.6.05 on Zavio IP Camera models CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, CD321 — fingerprint devices running this firmware version for prioritized patching/isolation ↗
- →Attack vector is network-based with low privilege required (CVSS PR:L) and no user interaction — monitor for authenticated but low-privilege sessions sending unusually large settings-update requests to camera management interfaces ↗
- ·Affected products are end-of-life with no vendor firmware fix available; no patch or mitigation from Zavio will be released — only network isolation or device replacement is viable ↗
- ·No known public exploitation of CVE-2023-39435 has been reported at time of advisory publication — threat intelligence feeds should be monitored for future exploitation activity ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Zavio IP Camera
cisa_ics·2023-10-31·CVSS 9.8
[CRITICAL] Zavio IP Camera
ICS Advisory
##
Zavio IP Camera
Release DateOctober 31, 2023
Alert CodeICSA-23-304-03
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Zavio
- Equipment: IP Camera
- Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer, OS Command Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow remote code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Zavio IP Cameras are affected:
- CF7500: version M2.1.6.05
- CF7300: version M2.1.6.05
- CF7201: version M2.1.6.05
- CF7501: version M2.1.6.05
- CB3211: version M2.1.6.05
- CB3212: version M2.1.6.05
- CB5220: version M2.1.6.05
- CB623
GHSA
GHSA-75fp-j7f7-j7j8: Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220,
CB6231, B8520, B8220, and CD321 IP Cameras
with firmware version M2
ghsa_unreviewed·2023-11-09
CVE-2023-39435 [HIGH] CWE-121 GHSA-75fp-j7f7-j7j8: Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220,
CB6231, B8520, B8220, and CD321 IP Cameras
with firmware version M2
Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220,
CB6231, B8520, B8220, and CD321 IP Cameras
with firmware version M2.1.6.05 are
vulnerable to stack-based overflows. During the process of updating
certain settings sent from incoming network requests, the product does
not sufficiently check or validate allocated buffer size. This may lead
to remote code execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-11-08
Published