Login Sign Up

CVE-2022-31211

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

Infiray IRAY-A8Z3 thermal cameras have a default blank root password for TELNET, allowing attackers to gain full administrative access. This affects all devices running firmware version 1.0.957 with default configurations. Attackers can completely compromise the device and potentially pivot to other network resources.

💻 Affected Systems

Products:
  • Infiray IRAY-A8Z3 thermal camera
Versions: 1.0.957
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with TELNET enabled (default) and using the default blank root password.

📦 What is this software?

Iray A8z3 Firmware by Infiray

View all CVEs affecting Iray A8z3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to camera manipulation, network pivoting, data exfiltration, and potential use as a foothold for broader network attacks.

🟠

Likely Case

Unauthorized access to camera controls, video feed interception, configuration changes, and device becoming part of a botnet.

🟢

If Mitigated

Limited to unsuccessful authentication attempts if proper password controls are implemented.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly compromised without authentication.
🏢 Internal Only: HIGH - Internal attackers or malware can easily exploit this default configuration.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only TELNET access and knowledge of the default blank password. No special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not publicly available

Restart Required: No

Instructions:

No official patch available. Contact Infiray support for firmware updates and follow workaround steps.

🔧 Temporary Workarounds

Set Strong Root Password

all

Change the default blank root password to a strong, unique password.

telnet [device_ip]
login: root
passwd
[enter new strong password]

Disable TELNET Service

linux

Turn off TELNET service if not required for operations.

telnet [device_ip]
login: root
service telnet stop
chkconfig telnet off

🧯 If You Can't Patch

  • Network segmentation: Isolate cameras in separate VLAN with strict firewall rules
  • Implement network access controls: Restrict TELNET access to management networks only

🔍 How to Verify

Check if Vulnerable:

Attempt TELNET connection to device port 23 with username 'root' and blank password. If login succeeds, device is vulnerable.

Check Version:

telnet [device_ip] then check firmware version in web interface or via 'cat /etc/version' after login

Verify Fix Applied:

Attempt TELNET login with blank password - should fail. Verify strong password is required.

📡 Detection & Monitoring

Log Indicators:

  • Successful TELNET root login with blank password
  • Multiple failed TELNET authentication attempts

Network Indicators:

  • TELNET connections to camera devices
  • Unusual outbound traffic from camera devices

SIEM Query:

source_port:23 AND (event_type:authentication_success OR authentication_failure)

📊 Metadata

CVE ID: CVE-2022-31211
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-521
Published: July 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31211, you might also want to check these:

CVE-2021-20418 9.8

IBM Security Guardium 11.2 has a weak default password policy that doesn't enforce strong passwords,...

Same vulnerability type (CWE-521)
CVE-2021-41296 9.8

ECOA BAS controllers use weak default administrative credentials that can be easily guessed in remot...

Same vulnerability type (CWE-521)
CVE-2020-29591 9.8

This vulnerability allows remote attackers to gain root access to Docker registry containers by usin...

Same vulnerability type (CWE-521)