← Advisories

COMMAX CVD-Axx DVR 5.1.4 Weak Default Credentials Stream Disclosure

High

Advisory ID

ZSL-2021-5667

Release Date

15 August 2021

Vendor

COMMAX Co., Ltd. - https://www.commax.com

Affected Version

CVD-AH04 DVR 4.4.1, CVD-AF04 DVR 4.4.1, CVD-AH16 DVR 5.1.4, CVD-AF16 DVR 4.4.1, CVD-AF08 DVR 5.1.2, CVD-AH08 DVR 5.1.2

CVE

N/A

Tested On

Boa/0.94.14rc19

Summary

COMMAX offers a wide range of proven AHD CCTV systems to meet customer needs and convenience in single or multi-family homes.

Description

The web control panel uses weak set of default administrative credentials that can be easily guessed in remote password attacks and disclose RTSP stream.

Proof of Concept

commax_dvrcreds.txtTXT

Disclosure Timeline

02.08.2021Vulnerability discovered.

03.08.2021Vendor contacted.

04.08.2021Vendor contacted.

05.08.2021No response from the vendor.

06.08.2021Vendor contacted.

14.08.2021No response from the vendor.

15.08.2021Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/163853

[2]https://www.exploit-db.com/exploits/50210

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/207572

Changelog

15.08.2021Initial release

23.08.2021Added reference [1], [2] and [3]