Critical CVE‑2024‑32107 enables unauthenticated attackers to execute arbitrary code on ZKTeco IP cameras. All models with firmware 3.2.1‑3.2.5 are vulnerable. CVSS 9.8. Immediate patching and network segmentation required.
Immediate Impact
A remote code execution (RCE) flaw has been discovered in ZKTeco CCTV camera firmware. The vulnerability allows an unauthenticated attacker to gain full control of the device and pivot to the internal network. The CVSS base score is 9.8 (Critical). Exploits are already circulating in underground forums.
Affected Products and Versions
- Series: L series, S series, and T series IP cameras
- Firmware versions: 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5
- Management software: ZKAccess 4.5‑5.0 when used with the vulnerable cameras
Devices shipped between January 2022 and March 2024 are potentially affected. Newer firmware (3.2.6 and later) contains a fix, but many installations have not been updated.
Technical Details
The flaw resides in the camera’s web server component that parses the /cgi-bin/upgrade.cgi endpoint. An attacker can send a specially crafted HTTP POST request with a malicious Content‑Type header. The server fails to validate the header length, leading to a stack‑based buffer overflow. Successful overflow overwrites the return address, redirecting execution to attacker‑controlled shellcode.
Once code execution is achieved, the attacker can:
- Install a persistent backdoor via the camera’s embedded Linux shell.
- Exfiltrate video streams and credentials stored in clear‑text.
- Use the camera as a foothold to scan and compromise other devices on the same VLAN.
Proof‑of‑concept code was released on GitHub by researcher @ZeroDayHunter (see CVE‑2024‑32107 PoC). The exploit works against default configurations where the web interface is exposed to the internet or internal LAN without additional authentication.
Mitigation Steps
- Apply the vendor patch – ZKTeco released firmware 3.2.6 on 2024‑04‑15. Download it from the official support portal: ZKTeco Firmware Updates.
- Isolate camera networks – Place all CCTV devices on a dedicated VLAN with strict egress filtering. Block outbound traffic to the internet unless required for NTP or cloud services.
- Disable unused services – Turn off HTTP/HTTPS access from untrusted networks. Use VPN or jump‑host access for remote management.
- Enforce strong authentication – Replace default credentials with unique, complex passwords. Enable two‑factor authentication if supported.
- Monitor for Indicators of Compromise (IoC) – Look for unusual outbound connections on ports 80/443 from camera IPs, new processes under
/usr/sbin/, or unknown files in/tmp/.
Timeline
- 2024‑03‑28 – Vulnerability reported to ZKTeco via their coordinated disclosure program.
- 2024‑04‑02 – ZKTeco acknowledges receipt and begins internal analysis.
- 2024‑04‑10 – Patch development completed.
- 2024‑04‑15 – Firmware 3.2.6 released publicly.
- 2024‑04‑18 – CISA issues this alert.
Recommendations for Organizations
- Inventory all ZKTeco cameras. Verify firmware version via the device’s web UI or SNMP.
- Prioritize patching for cameras exposed to the internet.
- If patching cannot be performed immediately, block inbound traffic to port 80/443 on camera IPs using firewalls or ACLs.
- Conduct a post‑remediation scan to ensure no backdoors remain.
Contact Information
Report any exploitation activity to CISA at [email protected] or via the CISA reporting portal. For technical assistance, reach out to ZKTeco support at [email protected].
CISA remains vigilant. Stay updated on emerging threats and apply security patches promptly.
Comments
Please log in or register to join the discussion