CVE-2019-25246
Authenticated File Disclosure in Beward N100 IP Camera Firmware
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| beward | n100_h.264_vga_ip_camera | m2.1.6 |
| beward | n100_h.264_vga_ip_camera | m2.1.6.04c014 |
| linux | linux_kernel | 2.6 |
| boa | boa | 0.94.14rc21 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Beward N100 H.264 VGA IP Camera version M2.1.6.04C014, where an authenticated attacker can exploit improper input validation of the 'READ.filePath' parameter in the fileread script or SendCGICMD API. By supplying absolute file paths, the attacker can read arbitrary system files on the device, such as /etc/passwd and /etc/issue, potentially disclosing sensitive system information. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with valid authentication credentials to read sensitive system files on the IP camera. This can lead to disclosure of system user information and system identification details, which may facilitate further attacks or unauthorized access to the device or network. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the fileread CGI script or SendCGICMD API on the Beward N100 H.264 VGA IP Camera with valid authentication credentials. For example, using curl with basic authentication to request sensitive files like /etc/passwd can confirm the vulnerability. A sample command is: curl -u admin:admin "http://<camera-ip>/cgi-bin/fileread?READ.filePath=/etc/passwd". If the contents of the file are returned, the device is vulnerable. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the camera's web interface to trusted users only, changing default credentials to strong, unique passwords, and disabling or restricting access to the fileread CGI script or SendCGICMD API if possible. Additionally, monitor and limit network access to the device to prevent unauthorized authenticated access. Since the vendor did not respond to disclosure, consider isolating the device from untrusted networks until a patch or update is available. [1, 2]