Login Sign Up

CVE-2020-11925

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability affects Luvion Grand Elite 3 Connect baby monitors where all devices share the same hardcoded root credentials. Attackers can gain administrative access to the device, potentially compromising video feeds and device control. All users of this specific baby monitor model are affected.

💻 Affected Systems

Products:
  • Luvion Grand Elite 3 Connect
Versions: All versions through 2020-02-25
Operating Systems: Embedded device firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All devices of this model share identical root credentials by design.

📦 What is this software?

Grand Elite 3 Connect Firmware by Luvion

View all CVEs affecting Grand Elite 3 Connect Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to view live video feeds, listen to audio, control device functions, and potentially pivot to other network devices.

🟠

Likely Case

Unauthorized access to baby monitor feeds and device settings, compromising privacy and potentially enabling harassment or surveillance.

🟢

If Mitigated

Limited impact if device is isolated from internet and other network segments, though local network access could still be compromised.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly attacked using known credentials.
🏢 Internal Only: MEDIUM - Attackers on the local network can exploit this, but requires initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires only knowledge of the shared credentials, which are publicly documented in security disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Contact manufacturer for updated firmware or replacement options.

🔧 Temporary Workarounds

Network Isolation

all

Place device on isolated network segment with no internet access

Firewall Restrictions

all

Block all inbound connections to the device from untrusted networks

🧯 If You Can't Patch

  • Replace affected devices with models that support unique credentials
  • Disconnect devices from networks entirely and use only in local-only mode if supported

🔍 How to Verify

Check if Vulnerable:

Check device model and firmware version. If it's Luvion Grand Elite 3 Connect with firmware dated 2020-02-25 or earlier, it's vulnerable.

Check Version:

Check device web interface or documentation for firmware version

Verify Fix Applied:

No fix available to verify. Only complete device replacement resolves this vulnerability.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful root login
  • Unusual access patterns to device administration interface

Network Indicators:

  • External IP addresses accessing device administration ports
  • Traffic to/from device on non-standard ports

SIEM Query:

source_ip=external AND dest_port=80,443,8080 AND (user_agent contains 'admin' OR uri contains 'login')

📊 Metadata

CVE ID: CVE-2020-11925
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-522
Published: April 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11925, you might also want to check these:

CVE-2024-51545 10.0

This CVE describes a username enumeration vulnerability in ABB industrial control system products th...

Same vulnerability type (CWE-522)
CVE-2021-30116 10.0

CVE-2021-30116 is an authentication bypass vulnerability in Kaseya VSA that allows unauthenticated a...

Same vulnerability type (CWE-522)
CVE-2025-0867 9.9

This vulnerability allows standard users to execute commands with administrative privileges through ...

Same vulnerability type (CWE-522)