CVE-2026-15680
Received Received - Intake

Remote Code Execution in Lorex 2K Indoor Wi-Fi Security Camera

Vulnerability report for CVE-2026-15680, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Zero Day Initiative

Description

Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of JSON requests in the sonia binary. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-25884.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
lorex 2k_indoor_wifi_security_camera *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-134 The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15680 is a format string vulnerability in the Lorex 2K Indoor Wi-Fi Security Camera. The vulnerability exists in the 'sonia' binary, which improperly handles JSON requests by failing to validate user-supplied strings before using them as format specifiers.

A format string vulnerability occurs when an application passes untrusted input directly to a function that interprets format specifiers (e.g., printf in C). Attackers can exploit this to read or write arbitrary memory, leading to remote code execution (RCE). In this case, the flaw allows network-adjacent attackers to execute arbitrary code on the affected device without requiring authentication.

The vulnerability is classified as a 'Remote Code Execution' (RCE) issue, meaning successful exploitation could give attackers full control over the device with root privileges.

Impact Analysis

If you own or use a Lorex 2K Indoor Wi-Fi Security Camera affected by this vulnerability, the impact could be severe due to the following risks:

  • Unauthorized Access: Attackers on the same network (network-adjacent) can exploit this flaw without needing credentials, potentially gaining full control over the camera.
  • Remote Code Execution (RCE): Attackers could execute arbitrary code on the device, allowing them to manipulate camera functionality, disable security features, or use the device as a pivot point to attack other systems on your network.
  • Privacy Violations: Since the camera is a security device, attackers could access live feeds, recorded footage, or other sensitive data stored or transmitted by the camera.
  • Network Compromise: The camera could be used as an entry point to launch further attacks against other devices connected to your network, such as computers, smartphones, or IoT devices.

Given the CVSS base score of 7.5 (High), this vulnerability poses a significant risk, particularly in environments where the camera is used for security or monitoring purposes.

Compliance Impact

This vulnerability could have serious implications for compliance with data protection and privacy regulations, depending on how the affected camera is used:

  • GDPR (General Data Protection Regulation): If the camera is used in an environment where it captures or processes personal data of EU citizens (e.g., in a business or public space), unauthorized access to camera feeds or recordings could constitute a data breach. GDPR requires organizations to implement appropriate security measures to protect personal data, and failure to patch or mitigate this vulnerability could lead to non-compliance, fines, or legal action.
  • HIPAA (Health Insurance Portability and Accountability Act): In healthcare settings, if the camera is used to monitor areas where protected health information (PHI) is accessible (e.g., patient rooms, medical storage areas), exploitation of this vulnerability could result in unauthorized access to PHI. This would violate HIPAA's Security Rule, which mandates safeguards to protect electronic PHI (ePHI).
  • Other Standards (e.g., PCI DSS, NIST): If the camera is part of a broader security infrastructure (e.g., monitoring payment terminals or sensitive areas), exploitation could lead to non-compliance with standards like PCI DSS (for payment security) or NIST guidelines (for federal or critical infrastructure security).

Organizations using the affected camera should assess their risk exposure, apply patches or mitigations promptly, and document their response to demonstrate compliance with relevant regulations.

Mitigation Strategies

Based on the provided context, here are immediate mitigation steps for CVE-2026-15680:

  • Isolate affected Lorex 2K Indoor Wi-Fi Security Cameras from the network to prevent potential exploitation by network-adjacent attackers.
  • Check for firmware updates from the vendor (Lorex) and apply them as soon as they become available, as they may contain patches for this vulnerability.
  • Restrict network access to the cameras using firewalls or VLANs to limit exposure to only trusted devices or networks.
  • Monitor network traffic for unusual activity targeting the cameras, such as malformed JSON requests or unexpected format strings in network payloads.
  • Consider disabling the cameras temporarily if they are not critical to operations until a patch is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15680. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart