CVE-2025-66052
📋 TL;DR
Vivotek IP7137 cameras with vulnerable firmware allow authenticated attackers to execute arbitrary system commands via command injection in the system_ntpIt parameter. This affects all firmware versions of the IP7137 camera, which has reached end-of-life and won't receive patches. Attackers can gain full system control if administrative credentials are compromised.
💻 Affected Systems
- Vivotek IP7137 network camera
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to install persistent malware, pivot to internal networks, disable the camera, or use it for botnet activities.
Likely Case
Attackers with default or compromised admin credentials execute commands to disrupt camera functionality, exfiltrate video feeds, or use the device for scanning/internal attacks.
If Mitigated
Limited to authenticated users with strong credentials, isolated network segments prevent lateral movement.
🎯 Exploit Status
Requires admin credentials, but default credentials are often unchanged. Simple curl/POST request with command injection payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: None
Restart Required: No
Instructions:
No official patch available due to product End-of-Life status.
🔧 Temporary Workarounds
Network segmentation and access control
allIsolate cameras in separate VLAN, restrict administrative access to specific IPs.
Change default credentials
allSet strong, unique admin passwords to prevent credential-based attacks.
🧯 If You Can't Patch
- Immediately replace with supported camera models
- Deploy network-based IPS rules to block requests to /cgi-bin/admin/setparam.cgi with suspicious parameters
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or attempt to access /cgi-bin/admin/setparam.cgi endpoint.Check Version:
Check camera web interface under System > Information or via HTTP request to device.Verify Fix Applied:
No fix available to verify. Mitigation verification: confirm strong passwords, network segmentation, and access controls.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /cgi-bin/admin/setparam.cgi with system_ntpIt parameter containing shell metacharacters
- Unusual command execution in camera logs
Network Indicators:
- HTTP traffic to camera on port 80/443 with injection payloads in POST data
- Outbound connections from camera to unexpected destinations
SIEM Query:
source="camera_logs" AND uri_path="/cgi-bin/admin/setparam.cgi" AND (param="system_ntpIt" AND value MATCHES "[;|&`$()]+")