CVE-2025-50110
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-09-15

Assigner: MITRE

Description
An issue was discovered in the method push.lite.avtech.com.AvtechLib.GetHttpsResponse in AVTECH EagleEyes Lite 2.0.0, the GetHttpsResponse method transmits sensitive information - including internal server URLs, account IDs, passwords, and device tokens - as plaintext query parameters over HTTPS
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-09-15
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-50110
EUVD
EUVD-2025-29192
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
avtech eagleeyes_lite 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CWE-598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in AVTECH EagleEyes Lite 2.0.0 involves the GetHttpsResponse method transmitting sensitive information such as internal server URLs, account IDs, passwords, and device tokens as plaintext query parameters within HTTPS requests. Although HTTPS is used, placing sensitive data in the URL query string exposes it to interception through man-in-the-middle attacks or logging by intermediate systems, compromising confidentiality and increasing the risk of unauthorized access. [1]

Impact Analysis

The vulnerability can lead to exposure of sensitive information including account credentials and device tokens, which attackers could intercept or access through logs or network monitoring. This exposure increases the risk of unauthorized access to AVTECH CCTV systems, potentially allowing attackers to compromise device security and user privacy. [1]

Detection Guidance

This vulnerability can be detected by monitoring HTTPS requests made by the EagleEyes Lite Android application version 2.0.0, specifically looking for URLs in query parameters that contain sensitive information such as account_id, password, device tokens, or internal server URLs in plaintext. A practical approach is to use a hooking tool like Frida with a script (e.g., hook.js) to intercept calls to the GetHttpsResponse() method and inspect the URL parameters. Additionally, network traffic analysis tools can be used to capture HTTPS requests and check for sensitive data in URL query strings, although HTTPS encryption may require device-level interception or debugging proxies on Android devices below version 8.0. [1]

Mitigation Strategies

The immediate mitigation is to avoid transmitting sensitive information such as account IDs, passwords, device tokens, and internal server URLs in the URL query parameters. Instead, these credentials should be sent securely within the HTTPS request body using POST parameters. This prevents exposure of sensitive data in URLs, logs, or intermediary systems. Additionally, updating the application or patching it to ensure that the secure method GetHttpsUrlResponse() is used instead of the vulnerable GetHttpsResponse() method is recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-50110. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart