Significant number of Critical Vulnerabilities in Zavio IP Cameras
Take action: If you are using Zavio IP cameras, you should definitely start planning to replace them. The only thing worse than a critical vulnerability in a product is a vendor of the product that ignores the issue and doesn't patch it.
Learn More
BugProve is reporting a critical security advisory regarding Zavio IP cameras. This advisory highlights seven pre-authentication remote code execution (RCE) vulnerabilities and 26 post-authentication code execution vectors. The vulnerabilities stem from memory corruption issues within the Onvif daemon present in select Zavio IP camera models.
The impacted products encompass various Zavio IP camera models, all running firmware version M2.1.6.05.
- Zavio CF7500
- Zavio CF7300
- Zavio CF7201
- Zavio CF7501
- Zavio CB3211
- Zavio CB3212
- Zavio CB5220
- Zavio CB6231
- Zavio B8520
- Zavio B8220
- Zavio CD321
BugProve initially reported these vulnerabilities to Zavio on 9th of December 2022. Despite repeated reminders and diligent follow-ups, Zavio remained unresponsive, prompting BugProve to involve respected organizations such as MITRE and the Cybersecurity and Infrastructure Security Agency (CISA).
The severity of these vulnerabilities cannot be overstated, as they grant malicious actors the capability to execute arbitrary code on affected Zavio IP cameras. These devices, estimated to number in the tens of thousands, continue to operate on public networks, posing a significant security risk.
Unfortunately, Zavio, a Chinese manufacturer specializing in video surveillance equipment, did not engage constructively during the disclosure process. Consequently, CISA stepped in to oversee coordination efforts, testing, and vulnerability confirmation. Full details are available on the BugProve site.
Users of Zavio IP cameras are strongly advised to replace their devices, as proper updates to patch these vulnerabilities will not be made available.
