CISA issues an advisory warning of critical remote code execution flaws in Hangzhou Xiongmai XM530 IP cameras, detailing affected versions, CVSS scores, and immediate mitigation steps.
On September 12, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued Alert AA23-260A concerning multiple critical vulnerabilities affecting the Hangzhou Xiongmai Technology Co., Ltd XM530 IP camera series. The alert warns that unauthenticated attackers can achieve remote code execution, obtain sensitive video streams, and manipulate device settings.
The advisory identifies three distinct flaws tracked as CVE-2023-28471, CVE-2023-28472, and CVE-2023-28473. Each vulnerability carries a CVSS v3.1 base score of 9.8, reflecting the potential for full compromise without user interaction. Affected devices run firmware versions earlier than V5.4.2 build 230915, which includes the XM530 model sold under various OEM brands.
Technical details show that the first flaw resides in the device’s web management interface where improper input validation allows command injection via the HTTP GET parameter "cmd". The second flaw exploits an unauthenticated RTSP stream handler that permits buffer overflow when a specially crafted SETUP request is sent. The third flaw involves a hard‑coded credential in the telnet service that grants root access to anyone who can reach port 23.
CISA recommends immediate mitigation steps for administrators and owners. First, apply the firmware update released by Xiongmai on August 30, 2023, which patches all three CVEs. Second, if updating is not feasible, disable external access to the web interface (port 80), RTSP port (554), and telnet port (23) by placing the camera behind a firewall or VPN. Third, change any default passwords and monitor logs for unusual login attempts.
Xiongmai has published the updated firmware on its support portal (https://www.xiongmai.com/support/firmware) and advises customers to verify the version via the device’s web interface under System > Information. The vendor also released a security notice (https://www.xiongmai.com/security/advisory/2023-08-30) detailing the fixes. Users should confirm that the installed build reads V5.4.2 or later before considering the device safe.
The timeline of events begins with the initial discovery reported to Xiongmai on June 15, 2023, followed by internal validation and patch development. CISA received the information on August 28, 2023, and published the alert on September 12, 2023. Public disclosure aligns with the vendor’s patch release to allow timely protection.
Comments
Please log in or register to join the discussion