CVE-2025-63296 – This vulnerability allows arbitrary code execut... (How to Fix)

📋 TL;DR

This vulnerability allows arbitrary code execution as root on KERUI K259 5MP Wi-Fi/Tuya Smart Security Cameras. During startup, the camera automatically executes scripts from mounted TF/SD cards without authentication. Anyone using affected camera firmware versions is vulnerable to complete device compromise.

💻 Affected Systems

Products:

KERUI K259 5MP Wi-Fi Smart Security Camera
Tuya Smart Security Camera (KERUI K259 variant)

Versions: v33.53.87

Operating Systems: Embedded Linux (Anyka platform)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default firmware configuration; requires TF/SD card slot access for exploitation.

📦 What is this software?

Kerui K259 Firmware by Keruistore

View all CVEs affecting Kerui K259 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device takeover with persistent root access, enabling surveillance interception, network pivoting, or botnet recruitment.

🟠

Likely Case

Local attacker with physical access to SD card slot gains root shell, potentially installing backdoors or modifying camera functionality.

🟢

If Mitigated

With proper physical security and no external storage access, risk is limited to authorized users with SD card access.

🌐 Internet-Facing: LOW - Exploitation requires physical access to insert SD card or network access to mount remote storage (if supported).

🏢 Internal Only: MEDIUM - Physical access to camera SD slot enables exploitation; insider threat or compromised maintenance personnel could exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available; requires physical SD card insertion or ability to mount malicious storage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates
2. If update available, download from official source
3. Follow vendor flashing instructions
4. Verify /usr/sbin/anyka_service.sh no longer executes /mnt/update.nor.sh

🔧 Temporary Workarounds

Disable SD Card Auto-execution

linux

Modify startup script to remove automatic execution of update.nor.sh

sed -i '/update\.nor\.sh/d' /usr/sbin/anyka_service.sh

Physical SD Card Slot Protection

all

Apply tamper-evident seal or lock to prevent unauthorized SD card insertion

🧯 If You Can't Patch

Physically disable or block SD/TF card slot with epoxy or physical barrier
Place cameras in secure locations with restricted physical access

🔍 How to Verify

Check if Vulnerable:

Check if /usr/sbin/anyka_service.sh contains references to update.nor.sh: grep -n 'update\.nor\.sh' /usr/sbin/anyka_service.sh

Check Version:

Check firmware version in web interface or run: cat /etc/version

Verify Fix Applied:

Verify grep command returns no results and test with benign update.nor.sh script on SD card

📡 Detection & Monitoring

Log Indicators:

Execution of /tmp/net.sh
Mounting of external storage during boot
Unexpected root shell activity

Network Indicators:

Unusual outbound connections from camera
Unexpected network services running

SIEM Query:

process.name:"/tmp/net.sh" OR file.path:"/mnt/update.nor.sh"

📊 Metadata

CVE ID: CVE-2025-63296

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-77

EPSS Score: 0.09% exploit probability (25.4th percentile)

Published: November 10, 2025

Last Updated: February 5, 2026

🔗 References

https://gist.github.com/t4e-3/082cdd0b7ee6b650c7aaae97fd4e016c Exploit,Third Party Advisory
https://github.com/t4e-3/CVE-2025-63296 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63296, you might also want to check these: