CVE-2019-25247
CSRF Vulnerability in Beward N100 IP Camera Enables Admin Takeover
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| beward | n100_h.264_vga_ip_camera | m2.1.6.04c014 |
| farady | linux | 2.6 |
| boa | boa | 0.94.14rc21 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the BEWARD N100 H.264 VGA IP Camera version M2.1.6.04C014 is a Cross-Site Request Forgery (CSRF) flaw. It occurs because the camera's web application interface does not properly validate the authenticity of HTTP requests. This allows an attacker to craft a malicious web page with a hidden form that, when visited by a logged-in user, can submit unauthorized requests to the camera. Specifically, the attacker can add a new administrative user without proper authorization by exploiting this lack of request validation. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain unauthorized administrative access to the affected IP camera by adding a new admin user remotely. If a logged-in user visits a malicious website, the attacker can exploit the CSRF flaw to perform administrative actions without the user's consent. This can lead to privilege escalation, unauthorized control over the device, and potential compromise of the camera's security and functionality. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the endpoint `/cgi-bin/admin/param` with parameters indicating an attempt to add an admin user, such as `action=add`, `group=General.UserID`, and `template=UserID`. You can use network traffic analysis tools like tcpdump or Wireshark to capture and inspect such requests. For example, a tcpdump command to filter HTTP POST requests to the camera's IP might be: `tcpdump -i <interface> host <camera_ip> and tcp port 80 and 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'` (which filters for HTTP POST). Additionally, inspecting web server logs on the device (if accessible) for POST requests to `/cgi-bin/admin/param` with suspicious parameters can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the camera's web interface to trusted networks only, disabling remote administration if possible, and ensuring users do not visit untrusted websites while logged into the camera's admin interface to prevent CSRF attacks. Applying any available firmware updates or patches from the vendor is recommended, although no vendor response was noted. Additionally, implementing network-level protections such as firewall rules to block unauthorized HTTP requests to the camera's admin endpoints can reduce risk. [1, 2]