CVE-2025-63408
📋 TL;DR
Local Agent DVR versions through 6.6.1.0 contain a directory traversal vulnerability that allows unauthenticated local attackers to access sensitive files, perform SSRF attacks, or execute arbitrary OS commands. This affects all systems running vulnerable versions of Agent DVR software. Attackers can exploit this without authentication from the local network.
💻 Affected Systems
- Local Agent DVR
📦 What is this software?
Agent Dvr by Ispyconnect
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Information disclosure of sensitive files and potential SSRF attacks against internal services.
If Mitigated
Limited impact if proper network segmentation and access controls prevent local network access to the Agent DVR service.
🎯 Exploit Status
Detailed technical analysis and proof-of-concept code is publicly available. The vulnerability is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.6.2.0 or later
Vendor Advisory: https://ispysoftware.github.io/Agent_API/
Restart Required: Yes
Instructions:
1. Download the latest version from the official Agent DVR website. 2. Stop the Agent DVR service. 3. Install the update. 4. Restart the service.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Agent DVR service to trusted hosts only
# Linux firewall example: sudo iptables -A INPUT -p tcp --dport 8090 -s TRUSTED_IP -j ACCEPT
# Windows firewall: New-NetFirewallRule -DisplayName 'Agent DVR Access' -Direction Inbound -LocalPort 8090 -Protocol TCP -RemoteAddress TRUSTED_IP -Action Allow
Service Binding Restriction
allConfigure Agent DVR to bind only to localhost or specific interfaces
# Edit Agent DVR configuration to set bind address to 127.0.0.1 or specific interface IP
🧯 If You Can't Patch
- Implement strict network access controls to prevent unauthorized access to the Agent DVR service port (default 8090)
- Deploy the Agent DVR service in an isolated network segment with no access to sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check if Agent DVR version is 6.6.1.0 or earlier. Access the web interface and check version in settings or about page.Check Version:
# Windows: Check AgentDVR.exe properties or service details
# Linux: Check installed package version or web interface about pageVerify Fix Applied:
Verify Agent DVR version is 6.6.2.0 or later. Test directory traversal attempts should fail.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in Agent DVR logs
- Multiple failed directory traversal attempts
- Unexpected process execution from Agent DVR service
Network Indicators:
- Unusual outbound connections from Agent DVR host
- HTTP requests with directory traversal patterns (../, ..\) to Agent DVR port
SIEM Query:
source="agent_dvr.log" AND ("..\" OR "../" OR "%2e%2e" OR "%252e%252e")