CVE-2018-7228
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms on Schneider Electric Pelco Sarix Professional cameras, granting them administrator privileges. All organizations using these cameras with firmware versions prior to 3.29.67 are affected. Attackers can gain complete control over the devices without any credentials.
💻 Affected Systems
- Schneider Electric Pelco Sarix Professional cameras
📦 What is this software?
Ibp1110 1er Firmware by Schneider Electric
Ibp219 1er Firmware by Schneider Electric
Ibp319 1er Firmware by Schneider Electric
Ibp519 1er Firmware by Schneider Electric
Ibps110 1er Firmware by Schneider Electric
Imp1110 1 Firmware by Schneider Electric
Imp1110 1e Firmware by Schneider Electric
Imp1110 1er Firmware by Schneider Electric
Imp219 1 Firmware by Schneider Electric
Imp219 1e Firmware by Schneider Electric
Imp219 1er Firmware by Schneider Electric
Imp319 1 Firmware by Schneider Electric
Imp319 1e Firmware by Schneider Electric
Imp319 1er Firmware by Schneider Electric
Imp519 1 Firmware by Schneider Electric
Imp519 1e Firmware by Schneider Electric
Imp519 1er Firmware by Schneider Electric
Imps110 1e Firmware by Schneider Electric
Imps110 1er Firmware by Schneider Electric
Mps110 1 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of camera systems allowing attackers to disable surveillance, manipulate video feeds, pivot to internal networks, or use cameras as footholds for further attacks.
Likely Case
Attackers gain administrative access to cameras, enabling them to view live feeds, modify settings, disable recording, or install malicious firmware.
If Mitigated
With proper network segmentation and access controls, impact is limited to camera systems only, preventing lateral movement to critical infrastructure.
🎯 Exploit Status
Authentication bypass vulnerabilities are typically easy to exploit with publicly available tools. The high CVSS score indicates trivial exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.29.67 or later
Vendor Advisory: https://www.schneider-electric.com/en/download/document/SEVD-2018-058-01/
Restart Required: Yes
Instructions:
1. Download firmware version 3.29.67 or later from Schneider Electric portal. 2. Access camera web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload new firmware file. 5. Wait for automatic reboot and verification.
🔧 Temporary Workarounds
Network Segmentation
allIsolate cameras on separate VLAN with strict firewall rules preventing external access to management interfaces.
Access Control Lists
allImplement IP-based restrictions allowing only authorized management stations to access camera web interfaces.
🧯 If You Can't Patch
- Segment cameras on isolated network with no internet access
- Implement strict firewall rules blocking all external access to camera management ports (typically 80, 443, 554)
🔍 How to Verify
Check if Vulnerable:
Check firmware version via camera web interface: Login > Maintenance > System Information. Compare version against 3.29.67.Check Version:
No CLI command - check via web interface at http://[camera-ip]/ or via ONVIF device management toolsVerify Fix Applied:
After upgrade, verify firmware version shows 3.29.67 or higher in System Information page.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful admin access from same IP
- Configuration changes from unauthenticated IP addresses
- Firmware update attempts from unauthorized sources
Network Indicators:
- HTTP/HTTPS requests to camera management interface without authentication headers
- Unusual traffic patterns to camera ports from external IPs
- ONVIF protocol abuse attempts
SIEM Query:
source_ip="external" AND dest_port IN (80,443,554) AND dest_ip="camera_subnet" AND (http_status=200 OR auth_success=true)