CVE-2017-17107 – This vulnerability allows attackers to gain roo... (How to Fix)

Q: What is the severity of CVE-2017-17107?

CVE-2017-17107 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to gain root access to Zivif PR115-204-P-RS web cameras via TELNET using a hard-coded password 'cat1029' that cannot be changed. The SONIX operating system's design makes this password permanent, enabling complete device compromise. All users of affected camera models are vulnerable.

📋 TL;DR

This vulnerability allows attackers to gain root access to Zivif PR115-204-P-RS web cameras via TELNET using a hard-coded password 'cat1029' that cannot be changed. The SONIX operating system's design makes this password permanent, enabling complete device compromise. All users of affected camera models are vulnerable.

💻 Affected Systems

Products:

Zivif PR115-204-P-RS web camera

Versions: V2.3.4.2103

Operating Systems: SONIX operating system

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is inherent to the SONIX OS implementation and affects all devices with this firmware version.

📦 What is this software?

Pr115 204 P Rs Firmware by Zivif

View all CVEs affecting Pr115 204 P Rs Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full root control of the camera, enabling them to disable security features, install malware, use the device as a botnet node, access video feeds, and pivot to other network devices.

🟠

Likely Case

Remote attackers exploit the hard-coded credentials to access the camera, potentially viewing or manipulating video streams, changing device settings, and using it for further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the camera device itself without allowing lateral movement to other systems.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly attacked via TELNET without authentication, leading to immediate compromise.

🏢 Internal Only: MEDIUM - Internal attackers or malware with network access can exploit this, but requires some level of network access to reach the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only TELNET access and knowledge of the hard-coded password 'cat1029'. Public exploit code and detailed instructions are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider replacing affected devices with models from vendors that provide security updates.

🔧 Temporary Workarounds

Disable TELNET service

linux

Remove or disable the TELNET service to prevent remote exploitation of the hard-coded credentials.

telnetd -l /bin/sh &
killall telnetd
rm /usr/sbin/telnetd

Network segmentation and firewall rules

all

Isolate cameras on separate VLANs and block all inbound TELNET traffic (port 23) to camera devices.

iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

Physically disconnect cameras from networks or place them behind strict firewalls with no inbound internet access
Replace affected cameras with models from vendors that provide security updates and patch support

🔍 How to Verify

Check if Vulnerable:

Attempt TELNET connection to camera on port 23 and use username 'root' with password 'cat1029'. If login succeeds, device is vulnerable.

Check Version:

Check device web interface or use command: cat /proc/version

Verify Fix Applied:

After applying workarounds, attempt TELNET connection should fail or service should be unavailable.

📡 Detection & Monitoring

Log Indicators:

Failed or successful TELNET authentication attempts
Unusual root login activity
TELNET service restart logs

Network Indicators:

TELNET traffic (port 23) to camera devices
Unusual outbound connections from camera devices

SIEM Query:

source_port=23 OR destination_port=23 AND (event_type="authentication" OR event_type="login")

📊 Metadata

CVE ID: CVE-2017-17107

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: December 19, 2017

Last Updated: April 20, 2025

🔗 References

http://packetstormsecurity.com/files/145386/Zivif-PR115-204-P-RS-2.3.4.2103-Bypass-Command-Injection-Hardcoded-Password.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2017/Dec/42 Exploit,Mailing List,Third Party Advisory
https://twitter.com/silascutler/status/938052460328968192 Third Party Advisory
http://packetstormsecurity.com/files/145386/Zivif-PR115-204-P-RS-2.3.4.2103-Bypass-Command-Injection-Hardcoded-Password.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2017/Dec/42 Exploit,Mailing List,Third Party Advisory
https://twitter.com/silascutler/status/938052460328968192 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17107, you might also want to check these: