CVE-2016-2359 – Milesight IP security cameras contain an authen... (How to Fix)

Q: What is the severity of CVE-2016-2359?

CVE-2016-2359 has a CVSS score of 9.8 (CRITICAL). Milesight IP security cameras contain an authentication bypass vulnerability that allows remote attackers to access protected resources without credentials by simultaneously requesting an unprotected vb.htm resource. This affects Milesight IP security cameras manufactured through November 14, 2016. Attackers can gain unauthorized access to camera feeds and administrative functions.

📋 TL;DR

Milesight IP security cameras contain an authentication bypass vulnerability that allows remote attackers to access protected resources without credentials by simultaneously requesting an unprotected vb.htm resource. This affects Milesight IP security cameras manufactured through November 14, 2016. Attackers can gain unauthorized access to camera feeds and administrative functions.

💻 Affected Systems

Products:

Milesight IP security cameras

Versions: All versions through 2016-11-14

Operating Systems: Embedded camera firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects cameras with web interface enabled. The vulnerability is in the authentication mechanism of the web management interface.

📦 What is this software?

Ip Security Camera Firmware by Milesight

View all CVEs affecting Ip Security Camera Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of camera system allowing unauthorized video surveillance, camera manipulation, and potential network pivoting to internal systems.

🟠

Likely Case

Unauthorized access to live camera feeds, recorded footage, and camera configuration settings.

🟢

If Mitigated

Limited impact if cameras are isolated on separate VLANs with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Directly exposed cameras can be exploited by any internet-connected attacker without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to bypass camera security controls.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simultaneous requests to protected and unprotected resources, but tools exist to automate this. Public demonstrations show successful exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware after 2016-11-14

Vendor Advisory: No official vendor advisory found in references

Restart Required: Yes

Instructions:

1. Check current firmware version. 2. Download latest firmware from Milesight support. 3. Upload firmware via web interface. 4. Reboot camera after update completes.

🔧 Temporary Workarounds

Network segmentation

all

Isolate cameras on separate VLAN with strict firewall rules blocking external access to camera web interface.

Disable web interface

all

Disable HTTP/HTTPS web management interface if not required for operations.

🧯 If You Can't Patch

Place cameras behind VPN with strict authentication requirements
Implement network monitoring for unusual access patterns to camera web interfaces

🔍 How to Verify

Check if Vulnerable:

Test by making simultaneous requests to protected resource and vb.htm endpoint. If protected resource returns data without authentication, system is vulnerable.

Check Version:

Check firmware version in camera web interface under System > Information or via SNMP if enabled.

Verify Fix Applied:

Attempt the same simultaneous request test after patching. Protected resources should require proper authentication.

📡 Detection & Monitoring

Log Indicators:

Multiple simultaneous requests from same IP to /vb.htm and protected endpoints
Access to protected resources without prior authentication logs

Network Indicators:

Unusual spike in HTTP requests to camera IPs
Requests to /vb.htm followed immediately by access to protected resources

SIEM Query:

source_ip="CAMERA_IP" AND (uri="/vb.htm" OR uri="/protected_resource") | stats count by source_ip, uri

📊 Metadata

CVE ID: CVE-2016-2359

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: October 25, 2019

Last Updated: November 21, 2024

🔗 References

http://kirils.org/slides/2016-10-06_Milesight_initial.pdf Exploit,Third Party Advisory
https://possiblesecurity.com/news/vulnerabilities-of-milesight-ip-security-cameras/ Third Party Advisory
https://www.youtube.com/watch?v=scckkI7CAW0 Exploit,Third Party Advisory
http://kirils.org/slides/2016-10-06_Milesight_initial.pdf Exploit,Third Party Advisory
https://possiblesecurity.com/news/vulnerabilities-of-milesight-ip-security-cameras/ Third Party Advisory
https://www.youtube.com/watch?v=scckkI7CAW0 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-2359, you might also want to check these: