CVE-2024-7029
published 2024-08-02CVE-2024-7029: Commands can be injected over the network and executed without authentication.
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
39.00%
98.4th percentile
Commands can be injected over the network and executed without authentication.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| avtech | avm1203 | <= FullImg-1023-1007-1011-1009 | — |
| avtech | avm1203_firmware | <= fullimg-1023-1007-1011-1009 | — |
| msrc | windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | windows_10_version_1809_for_32-bit_systems | — | — |
| msrc | windows_10_version_1809_for_x64-based_systems | — | — |
| msrc | windows_10_version_21h2_for_32-bit_systems | — | — |
| msrc | windows_10_version_21h2_for_x64-based_systems | — | — |
| msrc | windows_10_version_22h2_for_32-bit_systems | — | — |
| msrc | windows_10_version_22h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_23h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_x64-based_systems | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
| msrc | windows_server_2025 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
vendor_msrc5.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4h6p-wphh-f8rf: Commands can be injected over the network and executed without authentication
ghsa_unreviewed·2024-08-02
CVE-2024-7029 [HIGH] CWE-77 GHSA-4h6p-wphh-f8rf: Commands can be injected over the network and executed without authentication
Commands can be injected over the network and executed without authentication.
VulnCheck
AVTECH IP Camera Command Injection Vulnerability
vulncheck·2024·CVSS 8.7
CVE-2024-7029 [HIGH] AVTECH IP Camera Command Injection Vulnerability
AVTECH IP Camera Command Injection Vulnerability
Commands can be injected over the network and executed without authentication.
Affected: AVTECH SECURITY Corporation AVTECH IP Camera
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-01&host_type=src&vulnerability=cve-2024-7029; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-04&host_type=src&vulnerability=cve-2024-7029; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?
CISA ICS
AVTECH IP Camera
cisa_ics·2024-08-01·CVSS 8.7
[HIGH] AVTECH IP Camera
ICS Advisory
##
AVTECH IP Camera
Release DateAugust 01, 2024
Alert CodeICSA-24-214-07
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
- Vendor: AVTECH SECURITY Corporation
- Equipment: IP camera
- Vulnerability: Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to inject and execute commands as the owner of the running process.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following AVTECH IP camera was identified as being affected; it is suspected that prior versions of other IP cameras an
Suricata
ET WEB_SPECIFIC_APPS AVTECH IP Camera LED Brightness Parameter Command Injection Attempt (CVE-2024-7029)
suricata·2024-08-28·CVSS 8.7
CVE-2024-7029 [HIGH] ET WEB_SPECIFIC_APPS AVTECH IP Camera LED Brightness Parameter Command Injection Attempt (CVE-2024-7029)
ET WEB_SPECIFIC_APPS AVTECH IP Camera LED Brightness Parameter Command Injection Attempt (CVE-2024-7029)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AVTECH IP Camera LED Brightness Parameter Command Injection Attempt (CVE-2024-7029)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:31; content:"/cgi-bin/supervisor/Factory.cgi"; http.request_body; content:"action=white_led&brightness|3d 24 28|"; fast_pattern; startswith; reference:url,www.akamai.com/blog/security-research/2024/aug/2024-corona-mirai-botnet-infects-zero-day-sirt; reference:cve,2024-7029; classtype:trojan-activity; sid:2055585; rev:1; metadata:affected_product IP_Camera, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_08_28, cve CVE_2024_7029, deployme
Nuclei
AVTECH IP Camera - Command Injection
nuclei·CVSS 8.7
CVE-2024-7029 [HIGH] AVTECH IP Camera - Command Injection
AVTECH IP Camera - Command Injection
The endpoint `/cgi-bin/supervisor/Factory.cgi` is vulnerable to command injection via the `action` parameter, allowing remote code execution.
Template:
id: CVE-2024-7029
info:
name: AVTECH IP Camera - Command Injection
author: DhiyaneshDK
severity: high
description: |
The endpoint `/cgi-bin/supervisor/Factory.cgi` is vulnerable to command injection via the `action` parameter, allowing remote code execution.
impact: |
Authenticated attackers can execute arbitrary commands on the AVTECH IP camera system, achieving complete device compromise and potentially using it as a pivot point for network attacks.
remediation: |
Apply security patches from AVTECH or implement network segmentation and access controls to restrict access to the vulnerable endpoint.
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bleepingcomputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks
blogs_bleepingcomputer·2025-10-09·CVSS 8.8
[HIGH] RondoDox botnet targets 56 n-day flaws in worldwide attacks
## RondoDox botnet targets 56 n-day flaws in worldwide attacks
## Bill Toulas
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox , the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
## Mass n-day exploitat
Qualys
Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai | Qualys
blogs_qualys·2025-01-21
Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai | Qualys
#### Table of Contents
- Overview of the latest Murdoc Botnet campaign and a historical timeline
- Technical campaign analysis
- Command-and-control analysis
- Murdoc Botnet
- In-depth shell script analysis:
- Affected Countries
- Qualys EDR Coverage
- Conclusion & Recommended Steps to Protect Against the Variant
- IOCs
- IPs
- Contributors:
The Qualys Threat Research Unit has uncovered a large-scale, ongoing operation within the Mirai campaign, dubbed Murdoc Botnet. This variant exploits vulnerabilities targeting AVTECH Cameras and Huawei HG532 routers. It demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks. In this blog, we will explore Murdoc Botnet’s propagation methods and attack vectors.
## Overview of the la
Qualys
Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai
blogs_qualys·2025-01-21
Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai
## Table of Contents
Overview of the latest Murdoc Botnet campaign and a historical timeline
Technical campaign analysis
Command-and-control analysis
Murdoc Botnet
In-depth shell script analysis:
Affected Countries
Qualys EDR Coverage
Conclusion & Recommended Steps to Protect Against the Variant
IOCs
IPs
Contributors:
The Qualys Threat Research Unit has uncovered a large-scale, ongoing operation within the Mirai campaign, dubbed Murdoc Botnet. This variant exploits vulnerabilities targeting AVTECH Cameras and Huawei HG532 routers. It demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks. In this blog, we will explore Murdoc Botnet’s propagation methods and attack vectors.
## Overview of the latest Murdoc Bo
Bleepingcomputer
Malware exploits 5-year-old zero-day to infect end-of-life IP cameras
blogs_bleepingcomputer·2024-08-29·CVSS 8.7
CVE-2024-7029 [HIGH] Malware exploits 5-year-old zero-day to infect end-of-life IP cameras
## Malware exploits 5-year-old zero-day to infect end-of-life IP cameras
## Bill Toulas
The Corona Mirai-based malware botnet is spreading through a 5-year-old remote code execution (RCE) zero-day in AVTECH IP cameras, which have been discontinued for years and will not receive a patch.
The flaw, discovered by Akamai's Aline Eliovich, is tracked as CVE-2024-7029 and is a high-severity (CVSS v4 score: 8.7) issue in the "brightness" function of the cameras, allowing unauthenticated attackers to inject commands over the network using specially crafted requests.
Specifically, the easy-to-exploit flaw lies in the "brightness" argument in the "action=" parameter of the AVTECH cameras' firmware, intended to allow remote adjustments to the brightness of a camera.
The flaw impacts all AVTECH A
Greynoiseio
NoiseLetter September 2024
blogs_greynoiseio
NoiseLetter September 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-08-02
Published
Exploited in the wild