CVE-2025-67159
BaseFortify
Publication date: 2026-01-02
Last updated on: 2026-01-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vatilon | vatilon | 1.12.37-20240124 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67159 is a critical vulnerability in Vatilon-based IP camera firmware (notably JIENUO brand devices) where the /cgi-bin/web.cgi API endpoint accepts username and password parameters in plaintext via HTTP GET requests without enforcing server-side authentication or session validation. This allows unauthenticated remote attackers to bypass authentication controls, expose administrator credentials in plaintext, and access sensitive device information and administrative data. [2]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to bypass authentication and gain unauthorized access to the device's administrative interface and sensitive information. Attackers can see administrator credentials in plaintext, retrieve device configurations, and potentially fully compromise the device. Exploitation requires no user interaction and can be performed remotely, posing a significant security risk. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for HTTP GET requests to the /cgi-bin/web.cgi API endpoint that include username and password parameters in plaintext. You can use network packet capture tools like tcpdump or Wireshark to filter such requests. For example, a tcpdump command to detect these requests might be: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/web.cgi?username=' or use Wireshark to filter HTTP requests containing '/cgi-bin/web.cgi' and inspect for plaintext credentials in URL parameters. Additionally, monitoring web server logs for unauthenticated access attempts to /cgi-bin/web.cgi with credential parameters can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the device's web interface using network-level controls such as firewalls or VLAN segmentation to limit exposure. Monitor for abnormal web requests and access patterns targeting /cgi-bin/web.cgi. Apply any available firmware updates from the vendor that address this vulnerability as soon as they are released. Additionally, avoid using devices with the vulnerable firmware version until patched. Longer-term fixes involve enforcing server-side authentication and session validation for all API requests, eliminating plaintext credential transmission, and requiring valid authenticated sessions for web interface components. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes user credentials in plaintext and allows unauthenticated remote attackers to access sensitive device information and administrative data. This exposure of sensitive information and lack of proper authentication controls could lead to non-compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data through secure authentication and encryption mechanisms. [2]