CVE-2021-47707
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| commax | cvd-axx_dvr | 5.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1392 | The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in COMMAX CVD-Axx DVR version 5.1.4, where weak default administrative credentials are set. Specifically, the device allows remote attackers to access the web control panel by sending a POST request with the 'passkey' parameter set to '1234'. This enables unauthorized access and disclosure of the RTSP stream.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain unauthorized remote access to the DVR's web control panel, potentially allowing them to view or manipulate video streams and device settings. This can lead to privacy breaches, unauthorized surveillance, and control over the device.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the COMMAX CVD-Axx DVR 5.1.4 device on your network and attempting to access its web control panel using a POST request with the 'passkey' parameter set to '1234'. For example, you can use a command like: curl -X POST -d "passkey=1234" http://<device-ip>/ to see if access is granted.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include changing the default administrative credentials on the COMMAX CVD-Axx DVR device to a strong, unique password to prevent unauthorized access. Additionally, restrict network access to the device's web control panel to trusted hosts only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized remote access to video streams and administrative control panels due to weak default credentials, leading to potential exposure of sensitive personal or surveillance data. Such unauthorized disclosure and access could violate data protection requirements under standards like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to ensure confidentiality and prevent unauthorized access. Therefore, exploitation of this vulnerability could result in non-compliance with these regulations by compromising the privacy and security of protected data. [2, 3, 4]