5
CVSSv2

CVE-2020-24215

Published: 06/10/2020 Updated: 21/11/2024

Vulnerability Summary

An issue exists in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can use hard-coded credentials in HTTP requests to perform any administrative task on the device including retrieving the device's configuration (with the cleartext admin password), and uploading a custom firmware update, to ultimately achieve arbitrary code execution.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

szuray iptv/h.264 video encoder firmware -

szuray iptv/h.265 video encoder firmware -

jtechdigital h.264 iptv encoder 1080p@60hz firmware -

provideoinstruments vecaster-hd-h264 firmware -

provideoinstruments vecaster-hd-hevc firmware -

provideoinstruments vecaster-4k-hevc firmware -

provideoinstruments vecaster-hd-sdi firmware -

Exploits

HiSilicon Video Encoder allows for full administrative access via a backdoor password Versions affected are vendor specific ...

Github Repositories

HiSilicon video encoder exploits Simple exploit scripts for the backdoor and other vulnerabilities in video encoders based on hi3520d HiSilicon hardware: unauthenticated RTSP buffer overflow denial of service (CVE-2020-24214) full admin access via backdoor password (CVE-2020-24215) RCE via unauthenticated upload of malicious firmware (CVE-2020-24217) RCE via unauthenticated co

Recent Articles

Video encoders using Huawei chips have backdoors and bad bugs – and Chinese giant says it's not to blame
The Register • Thomas Claburn in San Francisco • 17 Sep 2020

Telecom kit maker points finger in the general direction of Middle Kingdom's complicated supply chain Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment. In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software, whose developer is unknown, that runs on top of ...