CVE-2026-2564
Weak Password Recovery Vulnerability in Intelbras VIP 3260 Z IA
Publication date: 2026-02-16
Last updated on: 2026-02-16
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intelbras | vip_3260_z_ia | 2.840.00ib005.0.t |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2564 is a critical security vulnerability in the Intelbras VIP 3260 Z IA device, version 2.840.00IB005.0.T. It exists in an unknown function within the file /OutsideCmd and involves a weakness in the password recovery mechanism.
The vulnerability allows an unauthenticated remote attacker to bypass proper verification during password recovery, enabling them to reset the administrator password without authorization. This happens because the backend improperly trusts client-side validation of the recovery code and does not enforce proper verification during the password change process.
Exploitation of this flaw can lead to full compromise of the device, including unauthorized administrative access.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized administrative access to the affected device.
- An attacker can remotely reset the administrator password without authentication.
- Full compromise of the device is possible, allowing the attacker to control it.
- Confidentiality, integrity, and availability of the device are all at risk.
- Attackers can view live camera feeds and potentially manipulate device settings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Intelbras VIP 3260 Z IA device, specifically version 2.840.00IB005.0.T, and involves a weakness in the password recovery mechanism accessible via the /OutsideCmd file. Detection would involve monitoring for unauthorized attempts to access or manipulate this endpoint remotely.
Since the vulnerability allows remote unauthenticated password reset by bypassing server-side validation, network detection could focus on unusual HTTP requests targeting the /OutsideCmd endpoint, especially those attempting password recovery or reset operations.
However, no specific detection commands or signatures are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary recommended mitigation is to upgrade the affected Intelbras VIP 3260 Z IA device to a fixed version that addresses this vulnerability.'}, {'type': 'paragraph', 'content': "Since the vulnerability allows remote unauthenticated attackers to reset the administrator password, immediate steps include restricting network access to the device's management interface, such as limiting access to trusted IP addresses or placing the device behind a firewall."}, {'type': 'paragraph', 'content': 'Additionally, monitoring for suspicious activity targeting the password recovery functionality and changing any potentially compromised credentials after applying the fix is advised.'}] [1, 2]