CVE-2025-34021
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-11-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow a remote unauthenticated attacker to induce the affected camera devices to make arbitrary HTTP requests to internal or external hosts. This can be used to bypass firewall policies, perform internal network service and host enumeration, and potentially gain unauthorized access or information about internal network resources. The device can effectively be used as a proxy to reach otherwise inaccessible systems, increasing the risk of further attacks on the internal network. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted POST JSON requests to the camera's web application endpoints such as /cps/test_backup_server or /cps/test_url with parameters 'ipnotify_address' or 'url' containing arbitrary IP addresses or URLs. If the device makes HTTP requests to these addresses and returns responses indicating success or connection refusal, it confirms the vulnerability. Example commands using curl could be: curl -X POST http://<camera-ip>/cps/test_backup_server -H 'Content-Type: application/json' -d '{"ipnotify_address":"http://attacker-controlled-domain.com"}' curl -X POST http://<camera-ip>/cps/test_url -H 'Content-Type: application/json' -d '{"url":"http://internal-ip-or-domain"}' Monitoring network traffic for unexpected HTTP requests originating from the camera to internal or external hosts can also help detect exploitation attempts. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the affected Selea Targa IP OCR-ANPR camera firmware and CarPlateServer software to the latest versions where the vulnerability has been fixed, as acknowledged by the vendor. Until updates are applied, restrict network access to the camera devices, especially limiting their ability to make outbound HTTP requests to untrusted or internal network destinations. Implement network-level controls such as firewall rules to block unauthorized outbound connections from the cameras. Additionally, monitor for suspicious POST requests targeting the vulnerable JSON parameters and consider disabling or restricting access to the vulnerable endpoints if possible. [1, 3]
Can you explain this vulnerability to me?
CVE-2025-34021 is a server-side request forgery (SSRF) vulnerability in multiple Selea Targa IP OCR-ANPR camera models. The vulnerability occurs because the camera's application does not properly validate user-supplied JSON POST parameters such as 'ipnotify_address' and 'url'. These parameters are used internally to fetch images or perform DNS lookups. An attacker can exploit this by sending crafted requests that cause the camera to make arbitrary HTTP requests to internal or external systems, potentially bypassing firewall restrictions and enabling internal network service enumeration. [1, 2, 3, 4]