Last month, Argentinian security researcher Ezequiel Fernandez published CVE-2018-9995, a vulnerability he discovered in dozens of brands of DVR that are all based on the same white-label devices, TBK"s DVR4104 and DVR4216. With CVE-2018-9995, all you need to do is hit the URL for the embedded web-server that controls the device with this cookie header: "Cookie: uid=admin." The DVR then returns the root login and password in the clear. 55,000 devices with this vulnerability have been indexed by the Shodan search engine.
No comments:
Post a Comment