CVE-2018-6294 – CVE-2018-6294 is a critical authentication bypa... (How to Fix)

Q: What is the severity of CVE-2018-6294?

CVE-2018-6294 has a CVSS score of 9.8 (CRITICAL). CVE-2018-6294 is a critical authentication bypass vulnerability in Hanwha Techwin Smartcams that allows unauthenticated attackers to perform firmware updates. This enables complete device takeover, remote code execution, and persistent backdoor installation. All users of affected Hanwha smart cameras with vulnerable firmware versions are at risk.

📋 TL;DR

CVE-2018-6294 is a critical authentication bypass vulnerability in Hanwha Techwin Smartcams that allows unauthenticated attackers to perform firmware updates. This enables complete device takeover, remote code execution, and persistent backdoor installation. All users of affected Hanwha smart cameras with vulnerable firmware versions are at risk.

💻 Affected Systems

Products:

Hanwha Techwin Smartcams (various models)

Versions: Specific vulnerable firmware versions not publicly documented, but pre-2018 firmware likely affected

Operating Systems: Embedded camera firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable as the firmware update mechanism lacks proper authentication by design.

📦 What is this software?

Snh V6410pn Firmware by Hanwha Security

View all CVEs affecting Snh V6410pn Firmware →

Snh V6410pnw Firmware by Hanwha Security

View all CVEs affecting Snh V6410pnw Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install malicious firmware, gain persistent remote access, disable cameras, exfiltrate video feeds, and use devices as network pivots for lateral movement.

🟠

Likely Case

Attackers install backdoored firmware to gain persistent remote access, disable security monitoring, and potentially access video feeds from compromised cameras.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to camera compromise without lateral movement to other systems.

🌐 Internet-Facing: HIGH - Directly internet-exposed cameras can be compromised without authentication from anywhere.

🏢 Internal Only: MEDIUM - Requires internal network access but still exploitable without authentication once network access is obtained.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to camera but no authentication. Attack tools for similar camera vulnerabilities are widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware updates released by Hanwha Techwin in 2018

Vendor Advisory: https://www.hanwhavision.com/support/security-notice/

Restart Required: Yes

Instructions:

1. Identify camera model and current firmware version. 2. Download latest firmware from Hanwha Techwin support portal. 3. Upload firmware via web interface. 4. Camera will reboot automatically after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN with strict firewall rules blocking all inbound traffic except from management systems.

Access Control Lists

all

Implement IP-based restrictions to only allow firmware updates from authorized management systems.

🧯 If You Can't Patch

Remove cameras from internet exposure immediately
Implement strict network segmentation with firewall rules blocking all unnecessary traffic to cameras

🔍 How to Verify

Check if Vulnerable:

Check if camera firmware version is older than 2018 releases. Attempt to access firmware update endpoint without authentication.

Check Version:

Access camera web interface and navigate to System > Information or similar menu to view firmware version.

Verify Fix Applied:

Verify firmware version is updated to 2018 or later release. Test that firmware update endpoint requires authentication.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to firmware update endpoints
Unexpected firmware update activity
Multiple failed authentication attempts followed by successful firmware upload

Network Indicators:

HTTP POST requests to firmware update endpoints from unauthorized IPs
Unusual outbound traffic from cameras
Firmware download from unexpected sources

SIEM Query:

source="camera_logs" AND (uri="/cgi-bin/firmware.cgi" OR uri="/cgi-bin/update.cgi") AND NOT src_ip IN [authorized_management_ips]

📊 Metadata

CVE ID: CVE-2018-6294

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: March 13, 2018

Last Updated: November 21, 2024

🔗 References

https://securelist.com/somebodys-watching-when-cameras-are-more-than-just-smart/84309/ Technical Description,Third Party Advisory
https://securelist.com/somebodys-watching-when-cameras-are-more-than-just-smart/84309/ Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-6294, you might also want to check these: