← Advisories

Akuvox Smart Intercom/Doorphone Unauthenticated Stream Disclosure

Medium

Advisory ID

ZSL-2024-5826

Release Date

20 August 2024

Vendor

The Akuvox Company - https://www.akuvox.com

Affected Version

Doorphone:, S539, S532, X916, X915, X912, R29, Intercom:, R20K-2, R20A-2, C313W-2, NS-2, NC-2, NX-2, Firmware: 912.30.1.137

CVE

CVE-2024-58336

Tested On

lighttpd/1.4.30, EasyHttpServer

Summary

Vandal-resistant Door Phone for High-end Buildings. Offering top-of-the-line features, Akuvox X912 is targeted at high-end residential and commercial projects. With a compact size, it is perfect for buildings with limited installation space.

Description

The application suffers from an unauthenticated live stream disclosure when requesting video.cgi endpoint on port 8080.

Proof of Concept

akuvox_stream.txtTXT

Disclosure Timeline

25.02.2024Vulnerability discovered.

19.03.2024Vendor contacted.

20.03.2024Vendor responds asking for more details. Sends PGP key.

22.03.2024Replied to the vendor.

29.03.2024Vendor starts working on a fix.

02.04.2024Working with the vendor.

03.07.2024Vendor releases version 915.30.10.146 to address this issue.

20.08.2024Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/180262/

[2]https://www.cve.org/CVERecord?id=CVE-2024-58336

Changelog

20.08.2024Initial release

23.03.2026Added reference [2]