CVE-2023-30352 – This vulnerability allows attackers to access t... (How to Fix)

Q: What is the severity of CVE-2023-30352?

CVE-2023-30352 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to access the RTSP video feed of Tenda CP3 IP cameras using a hard-coded default password. Anyone using the affected camera model with the vulnerable firmware version is at risk of unauthorized video surveillance.

📋 TL;DR

This vulnerability allows attackers to access the RTSP video feed of Tenda CP3 IP cameras using a hard-coded default password. Anyone using the affected camera model with the vulnerable firmware version is at risk of unauthorized video surveillance.

💻 Affected Systems

Products:

Tenda CP3 IP Camera

Versions: V11.10.00.2211041355

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All cameras with this firmware version are vulnerable out-of-the-box. The hard-coded password cannot be changed by users.

📦 What is this software?

Cp3 Firmware by Tenda

View all CVEs affecting Cp3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of video surveillance system allowing attackers to monitor private spaces, potentially leading to physical security breaches, blackmail, or intelligence gathering.

🟠

Likely Case

Unauthorized access to live video feeds enabling privacy violations, reconnaissance of physical spaces, and potential integration into botnets for DDoS attacks.

🟢

If Mitigated

Limited impact if cameras are on isolated networks with proper segmentation and access controls preventing external connections.

🌐 Internet-Facing: HIGH - Cameras exposed to the internet can be directly accessed by attackers worldwide using the known credentials.

🏢 Internal Only: MEDIUM - Internal attackers or malware could still access feeds, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of the hard-coded password and network access to the camera's RTSP service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Contact Tenda support for firmware updates or replacement options.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLANs with strict firewall rules preventing external access to RTSP port (default 554).

RTSP Authentication Proxy

linux

Implement a reverse proxy that adds authentication before allowing RTSP connections to cameras.

🧯 If You Can't Patch

Physically disconnect cameras from networks and use only for local recording
Replace affected cameras with models from vendors that support password changes

🔍 How to Verify

Check if Vulnerable:

Attempt to access RTSP feed using default credentials: rtsp://camera_ip:554/stream1 with username 'admin' and default password (check references for exact password).

Check Version:

Check camera web interface or use nmap to identify firmware version

Verify Fix Applied:

Verify RTSP feed cannot be accessed with default credentials after implementing workarounds.

📡 Detection & Monitoring

Log Indicators:

Multiple failed RTSP authentication attempts followed by successful access
Unusual RTSP stream requests from unexpected IP addresses

Network Indicators:

RTSP traffic to/from unexpected external IPs
Port 554 scans from unknown sources

SIEM Query:

source_port=554 AND (event_type="authentication_success" OR bytes_transferred>threshold)

📊 Metadata

CVE ID: CVE-2023-30352

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: May 10, 2023

Last Updated: January 27, 2025

🔗 References

https://github.com/SECloudUNIMORE/ACES/blob/master/Tenda/CP3/tmp_RTSPa.md Third Party Advisory
https://github.com/SECloudUNIMORE/ACES/blob/master/Tenda/CP3/tmp_RTSPa.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30352, you might also want to check these: