CVE-2019-12266 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: How do I fix CVE-2019-12266?

1. Open Wyze app. 2. Go to device settings. 3. Check for firmware updates. 4. Apply update. 5. Device will restart automatically.

Q: What is the severity of CVE-2019-12266?

CVE-2019-12266 has a CVSS score of 7.6 (HIGH). A stack-based buffer overflow vulnerability in Wyze Cam devices allows attackers to execute arbitrary code on affected cameras. This affects Wyze Cam Pan v2, Cam v2, and Cam v3 models running outdated firmware. Attackers could potentially take full control of vulnerable cameras.

📋 TL;DR

A stack-based buffer overflow vulnerability in Wyze Cam devices allows attackers to execute arbitrary code on affected cameras. This affects Wyze Cam Pan v2, Cam v2, and Cam v3 models running outdated firmware. Attackers could potentially take full control of vulnerable cameras.

💻 Affected Systems

Products:

Wyze Cam Pan v2
Wyze Cam v2
Wyze Cam v3

Versions: Pan v2: <4.49.1.47, Cam v2: <4.9.8.1002, Cam v3: <4.36.8.32

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. Devices must be connected to network to be exploitable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to execute arbitrary code, access camera feeds, pivot to internal networks, or use devices in botnets.

🟠

Likely Case

Remote code execution leading to unauthorized access to camera streams, device manipulation, or participation in DDoS attacks.

🟢

If Mitigated

Limited impact if devices are isolated from untrusted networks and regularly updated.

🌐 Internet-Facing: HIGH - IoT cameras are often directly internet-facing with weak authentication.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit details published by Bitdefender. Buffer overflow allows code execution without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Pan v2: 4.49.1.47+, Cam v2: 4.9.8.1002+, Cam v3: 4.36.8.32+

Vendor Advisory: https://www.wyze.com/security

Restart Required: Yes

Instructions:

1. Open Wyze app. 2. Go to device settings. 3. Check for firmware updates. 4. Apply update. 5. Device will restart automatically.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN without internet access

Firewall Rules

all

Block all inbound traffic to cameras except from management systems

🧯 If You Can't Patch

Disconnect vulnerable cameras from network entirely
Replace vulnerable devices with updated models

🔍 How to Verify

Check if Vulnerable:

Check firmware version in Wyze app: Device Settings > Device Info > Firmware Version

Check Version:

Not applicable - check via Wyze mobile app interface only

Verify Fix Applied:

Confirm firmware version matches or exceeds patched versions listed above

📡 Detection & Monitoring

Log Indicators:

Unusual network traffic patterns
Failed authentication attempts
Unexpected device reboots

Network Indicators:

Unusual outbound connections from cameras
Traffic to known malicious IPs
Port scanning from camera IPs

SIEM Query:

source_ip IN (camera_ips) AND (protocol="tcp" AND (port=80 OR port=443) AND bytes_sent > 100MB)

📊 Metadata

CVE ID: CVE-2019-12266

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-121

Published: March 30, 2022

Last Updated: November 21, 2024

🔗 References

https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/ Third Party Advisory
https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-12266, you might also want to check these: