Login Sign Up

CVE-2017-17105

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary commands on affected Zivif web cameras via command injection in CGI scripts. Attackers can remotely compromise the device without credentials, potentially taking full control. Users of Zivif PR115-204-P-RS cameras running vulnerable firmware versions are affected.

💻 Affected Systems

Products:
  • Zivif PR115-204-P-RS web camera
Versions: V2.3.4.2103 through V4.7.4.2121 (including intermediate versions)
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Web interface must be enabled (default). No authentication required for exploitation.

📦 What is this software?

Pr115 204 P Rs Firmware by Zivif

View all CVEs affecting Pr115 204 P Rs Firmware →

Pr115 204 P Rs Firmware by Zivif

View all CVEs affecting Pr115 204 P Rs Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, pivot to internal networks, disable cameras, or use devices in botnets.

🟠

Likely Case

Camera reboot or temporary disruption, unauthorized access to video feeds, or device being added to IoT botnets.

🟢

If Mitigated

Limited impact if cameras are isolated on separate network segments with strict firewall rules.

🌐 Internet-Facing: HIGH - Directly exploitable from internet without authentication.
🏢 Internal Only: HIGH - Still exploitable from internal networks if cameras are accessible.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request with command injection payload. Multiple public exploit scripts available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Check vendor website for firmware updates. Consider replacing with supported devices.

🔧 Temporary Workarounds

Network Isolation

all

Place cameras on isolated VLAN with no internet access and strict firewall rules.

Disable Web Interface

all

Turn off web interface if not required for operation.

🧯 If You Can't Patch

  • Block all external access to camera web interface at firewall
  • Implement network segmentation to prevent lateral movement from compromised cameras

🔍 How to Verify

Check if Vulnerable:

Test with curl: curl -v 'http://[CAMERA_IP]/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot)' - check for reboot response

Check Version:

Check firmware version in web interface at http://[CAMERA_IP]/ or via device management interface

Verify Fix Applied:

Test same exploit attempt - should fail or return error instead of executing command

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /cgi-bin/iptest.cgi with unusual parameters
  • System reboot logs without authorized cause
  • Unusual command execution in system logs

Network Indicators:

  • HTTP requests containing $(...) or ; characters in URL parameters
  • Traffic to camera web interface from unexpected sources

SIEM Query:

source="web_logs" AND uri_path="/cgi-bin/iptest.cgi" AND (query="*$(*" OR query="*;*")

📊 Metadata

CVE ID: CVE-2017-17105
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: December 19, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17105, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)