CVE-2024-35343

EUVD-2024-35291
Certain Anpviz products allow unauthenticated users to download arbitrary files from the device's filesystem via a HTTP GET request to the /playback/ URI. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380, IPC-D880, IPC-D280, IPC-D3180, MC800N, YM500L, YM800N_N2, YMF50B, YM800SV2, YM500L8, and YM200E10 (IP Cameras) firmware v3.2.2.2 and lower and possibly more vendors/models of IP camera.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
anpvizipc-d250_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-d260_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-b850_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-d850_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-d350_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-d3150_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-d4250_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-d380_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-d880_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-d280_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizipc-d3180_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizmc800n_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizym800n_n2_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizymf50b_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizym800sv2_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizym500l8_firmware
𝑥
≤ 3.2.2.2
ADP
anpvizym200e10_firmware
𝑥
≤ 3.2.2.2
ADP
Common Weakness Enumeration
References
https://willgu.es/pages/anpviz-ip-camera-vuln.html
https://willgu.es/pages/anpviz-ip-camera-vuln.html