cbcvebase.
CVE-2023-4249
published 2023-11-08

CVE-2023-4249: Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 has a command…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.39%
95.2th percentile
Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 has a command injection vulnerability in their implementation of their binaries and handling of network requests.

Affected

22 ranges
VendorProductVersion rangeFixed in
zaviob8220_firmware
zaviob8520_firmware
zaviocb3211_firmware
zaviocb3212_firmware
zaviocb5220_firmware
zaviocb6231_firmware
zaviocd321_firmware
zaviocf7201_firmware
zaviocf7300_firmware
zaviocf7500_firmware
zaviocf7501_firmware
zavioip_camera_b8220
zavioip_camera_b8520
zavioip_camera_cb3211
zavioip_camera_cb3212
zavioip_camera_cb5220
zavioip_camera_cb6231
zavioip_camera_cd321
zavioip_camera_cf7201
zavioip_camera_cf7300
zavioip_camera_cf7500
zavioip_camera_cf7501

Detection & IOCsextracted from sources · hover to see the quote

  • Target devices are Zavio IP Cameras (CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, CD321) running firmware version M2.1.6.05 — detect exploitation attempts against these devices on the network
  • The OS command injection (CVE-2023-4249) is triggered via incoming network requests — monitor for anomalous or malformed network requests to Zavio IP camera HTTP/management interfaces, particularly those carrying OS command metacharacters
  • Related stack-based buffer overflow vulnerabilities (CVE-2023-3959, CVE-2023-45225, CVE-2023-43755, CVE-2023-39435) on the same firmware are triggered via XML elements in incoming network requests — inspect network traffic for oversized or malformed XML payloads destined for Zavio camera interfaces
  • CVE-2023-4249 requires low-privilege authentication (PR:L) — alert on any authenticated session to a Zavio IP camera (firmware M2.1.6.05) that subsequently triggers unexpected process spawning or shell execution
  • ·Affected products are end-of-life with no firmware fix available; vendor (Zavio) is no longer in business — no patch-based remediation exists
  • ·No known public exploitation of CVE-2023-4249 had been reported to CISA at time of advisory publication (October 31, 2023)
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.