The E11, a popular smart intercom and videophone from Chinese company Akuvox, contains more than a dozen flaws, including a critical bug that allows unauthenticated remote code execution (RCE). Malicious actors could use these to gain access to an organization’s network, steal photos or video captured by the device, control the camera and microphone, and even lock and unlock doors.
The flaws were discovered and highlighted by Claroty’s Team82, a security firm that became aware of the device’s flaws when they moved into an office where the E11 was already installed. Team82 members’ interest in the device grew into a full-fledged investigation as they discovered 13 vulnerabilities, which they classified into three categories based on the attack vector used.
The first two types can occur via RCE within a local area network or through remote activation of the E11’s camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector focuses on gaining access to an external, insecure file transfer protocol (FTP) server, which allows the actor to download stored images and data.
The Akuvox 311 contains a critical RCE bug
One critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be acc
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: