CVE-2022-30018
📋 TL;DR
Mobotix Control Center (MxCC) versions up to 2.5.4.5 store administrative credentials in a recoverable format in the MxCC.ini configuration file. This allows any user with access to the machine to extract passwords and gain admin access to the software, potentially compromising surveillance recordings and system control. Organizations using vulnerable MxCC versions for video management are affected.
💻 Affected Systems
- Mobotix Control Center (MxCC)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the surveillance system, access all recordings, modify system configurations, disable security features, and potentially pivot to other systems.
Likely Case
Local users or attackers with machine access extract credentials, gain admin privileges within MxCC, and access sensitive surveillance recordings and system settings.
If Mitigated
Limited to authorized users with legitimate access to the system, with no ability to escalate privileges or access recordings beyond their permissions.
🎯 Exploit Status
Exploitation requires local access to the machine where MxCC is installed to read the MxCC.ini file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not publicly available
Restart Required: No
Instructions:
No official patch available. Check Mobotix vendor website for security updates and upgrade to latest version if available.
🔧 Temporary Workarounds
Secure MxCC.ini File Permissions
windowsRestrict read access to MxCC.ini configuration file to only necessary administrative users.
icacls "C:\Program Files\MxCC\MxCC.ini" /inheritance:r /grant:r "Administrators:(F)" /grant:r "SYSTEM:(F)"
Monitor Configuration File Access
windowsEnable auditing on MxCC.ini file to detect unauthorized access attempts.
icacls "C:\Program Files\MxCC\MxCC.ini" /audit /setintegritylevel H
🧯 If You Can't Patch
- Implement strict access controls on machines running MxCC, limiting local user access to authorized personnel only.
- Regularly audit and monitor access to MxCC.ini file and review system logs for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if MxCC.ini file exists in installation directory and contains plaintext or recoverable credentials. Review file permissions to see if non-admin users have read access.Check Version:
Check MxCC version in Help > About within the application or review installation directory for version information.Verify Fix Applied:
Verify MxCC.ini file permissions restrict read access to administrators only and that no unauthorized users can access the file.📡 Detection & Monitoring
Log Indicators:
- Failed or successful access attempts to MxCC.ini file by non-admin users
- Unusual login activity to MxCC admin interface from new locations
Network Indicators:
- Unexpected connections to MxCC management interface from internal IPs
- Increased data transfer from recording storage locations
SIEM Query:
EventID=4663 AND ObjectName LIKE '%MxCC.ini%' AND Accesses='ReadData' AND SubjectUserName NOT IN ('Administrator', 'SYSTEM')