Executive Summary

CVE-2025-9380 is a critical vulnerability in the FNKvision Y215 CCTV Camera firmware where hardcoded root credentials are embedded within multiple binaries (encoder and wifidaemon). These credentials are used to automatically recreate the /etc/passwd file, granting root-level shell access. The root password is weakly hashed and can be cracked quickly. Additionally, the device has an undocumented backdoor triggered by a specific file on an SD card that launches a Telnet daemon accessible with these credentials. This allows attackers with local or physical access to gain full control over the device. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to gain unauthorized root access to the FNKvision Y215 CCTV Camera, enabling full control over the device. Attackers can exploit hardcoded credentials to bypass authentication, access sensitive information such as Wi-Fi passwords stored in plaintext, and use the SD card backdoor to remotely access the device via Telnet. This compromises the confidentiality, integrity, and availability of the device, potentially allowing surveillance tampering, network infiltration, and persistent unauthorized access. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

Detection can be performed by checking for the presence of hardcoded root credentials in the device firmware and binaries, specifically the encoder and wifidaemon binaries. On the device, you can inspect the /etc/passwd file for unusual entries such as the username 'vstarcam2017'. Additionally, searching for the presence of the file 's1_rf_test_config' on any inserted SD card can indicate the Telnet backdoor activation. Commands to assist detection include: 1) Using strings or grep on firmware binaries to find hardcoded credentials, e.g., `strings encoder | grep vstarcam2017`; 2) Checking /etc/passwd for the hardcoded user: `cat /etc/passwd | grep vstarcam2017`; 3) Checking for Telnet daemon running: `ps aux | grep telnetd`; 4) Inspecting SD card for backdoor trigger file: `ls /mnt/sdcard/s1_rf_test_config`. Also, examining Wi-Fi configuration files for plaintext credentials: `cat /tmp/wpa_supplicant.conf` or `cat system/param/network.ini`. UART access can be used to verify root login capability if physical access is available. [3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Restricting local physical access to the device to prevent exploitation of the hardcoded credentials and SD card backdoor; 2) Removing or disabling the Telnet daemon if possible, especially by ensuring no 's1_rf_test_config' file is present on any SD card; 3) Changing default network configurations and isolating the device on a separate network segment to limit exposure; 4) Monitoring for unauthorized access attempts; 5) Considering replacing the affected FNKvision Y215 CCTV Camera with a more secure alternative, as no vendor patches or countermeasures are currently available. Since the vulnerability requires local access and exploits hardcoded credentials, physical security and network segmentation are critical immediate defenses. [2, 3]

Useful 0 Not Useful 0