CRITICAL🇵🇱 Wersja polska

CVE-2025-7503

CVSS 10.0v4.0pub. 2025-07-11upd. 2026-04-15

An OEM IP camera manufactured by Shenzhen Liandian Communication Technology LTD exposes a Telnet service (port 23) with undocumented, default credentials. The Telnet service is enabled by default and is not disclosed or configurable via the device’s web interface or user manual. An attacker with network access can authenticate using default credentials and gain root-level shell access to the device. The affected firmware version is AppFHE1_V1.0.6.0 (Kernel: KerFHE1_PTZ_WIFI_V3.1.1, Hardware: HwFHE1_WF6_PTZ_WIFI_20201218). No official fix or firmware update is available, and the vendor could not be contacted. This vulnerability allows for remote code execution and privilege escalation.

🤖 AI Analysis
How it works

The vulnerability results from the presence of hardcoded default credentials in the device firmware (CWE-798). The Telnet service is enabled by default, is not disclosed in the web interface or user documentation, preventing the administrator from consciously managing it or disabling it. An attacker with network access to port 23 can authenticate without restriction using the default credentials and obtain an interactive system shell with root privileges.

Impact

Attacker gains full control of the device at root level, enabling remote code execution (RCE), privilege escalation (LPE), configuration modification, eavesdropping on camera footage, and potential exploitation of the device as an entry point to the local network.

Mitigation & patch

No official patch or firmware update is available — the manufacturer was unreachable. It is recommended to immediately isolate devices from public networks, block access to TCP port 23 (Telnet) at the firewall or network switch level, and consider decommissioning devices until an official patch is released by the manufacturer.

Who is affected

OEM IP cameras manufactured by Shenzhen Liandian Communication Technology LTD with firmware AppFHE1_V1.0.6.0 (Kernel: KerFHE1_PTZ_WIFI_V3.1.1, Hardware: HwFHE1_WF6_PTZ_WIFI_20201218). Affects devices from the V380 CCTV IP Camera family.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCELPE
CWE
References